[HTTPS-Everywhere] Enabling and disabling all websites with CAcert certificates

[Peter Eckersley]

On Thu, May 12, 2011 at 09:15:00PM -0700, Seth David Schoen wrote:
> 
> The HTTPS Everywhere distribution includes rules that are turned off
> (have no effect) because the sites that would be affected use
> CACert (and so would produce errors for people using a default Firefox
> install + HTTPS Everywhere).  When people add the CACert root to their
> CA list, they still don't get the benefit of these rules unless they
> manually turn each one on.  The proposal here is to make a more
> convenient way for people to do this.
> 
> A more complex thing we could do is create a way for a rule to
> declare a dependency on a CA and have a mechanism where rules are
> enabled (at the start of a browser session) if the CA (if any) on
> which they depend is installed in the browser and the rules have
> never been explicitly disabled by the user.  This might have more
> difficult conceptual and support consequences for the future of the
> extension, though.  (For instance, how do rewrite rules identify
> the CAs on which they depend?)

I think this is a good idea, provided there's a way to inspect the list of
root CAs from inside the extension's code.  

It could add a new entity to the ruleset xml format that names a sha1 of a
root certificate that needs to be trusted in order for the rule to be
considered active. 

I would take a patch that made all of this work transparently :) The other
option would be for people who are packaging HTTPS Everywhere for platforms
that ship with a CACert root to enable all of those rulesets in their patches.
They should watch out for the stickiness of the default settings, of course.

-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993