[HTTPS-Everywhere] Enabling and disabling all websites with CAcert certificates
Peter Eckersley
pde at eff.org
Thu May 12 23:32:53 PDT 2011
On Thu, May 12, 2011 at 09:15:00PM -0700, Seth David Schoen wrote:
>
> The HTTPS Everywhere distribution includes rules that are turned off
> (have no effect) because the sites that would be affected use
> CACert (and so would produce errors for people using a default Firefox
> install + HTTPS Everywhere). When people add the CACert root to their
> CA list, they still don't get the benefit of these rules unless they
> manually turn each one on. The proposal here is to make a more
> convenient way for people to do this.
>
> A more complex thing we could do is create a way for a rule to
> declare a dependency on a CA and have a mechanism where rules are
> enabled (at the start of a browser session) if the CA (if any) on
> which they depend is installed in the browser and the rules have
> never been explicitly disabled by the user. This might have more
> difficult conceptual and support consequences for the future of the
> extension, though. (For instance, how do rewrite rules identify
> the CAs on which they depend?)
I think this is a good idea, provided there's a way to inspect the list of
root CAs from inside the extension's code.
It could add a new entity to the ruleset xml format that names a sha1 of a
root certificate that needs to be trusted in order for the rule to be
considered active.
I would take a patch that made all of this work transparently :) The other
option would be for people who are packaging HTTPS Everywhere for platforms
that ship with a CACert root to enable all of those rulesets in their patches.
They should watch out for the stickiness of the default settings, of course.
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list