[HTTPS-Everywhere] Blekko search engine rewriting search results to point to HTTPS URLs
Greg Lindahl
greg at blekko.com
Sat Apr 21 01:09:01 PDT 2012
On Sat, Apr 21, 2012 at 12:48:44AM -0700, Dan Kaminsky wrote:
> On Fri, Apr 20, 2012 at 3:23 PM, Peter Eckersley <pde at eff.org> wrote:
> > We do not have this dataset, but I was at a hackathon last weekend where
> > Dan
> > Kaminksy showed a nifty hack that Blekko /might/ be able to use to collect
> > this data itself under certain circumstances. If you embedd a simple image
> > (such as a favicon, maybe with a query parameter to prevent caching) from a
> > site, you can use CSS introspection to see if each copy loaded. Do this
> > for
> > http and https in parallel, and you'll spot differential blocking.
> >
>
> It's not CSS introspection; you basically create a new image with onload
> and onerror handlers, then set the src to favicon.ico. See
> censorsweeper.com.
Thanks for the pointer. We had a chat over here and we're happy to do
it, if we can make it safe -- I'd hate for a user trying to securely
search for and click on a considered-naughty-by-the-government
Wikipedia page to reveal anything to said government.
Dan, I'm sad the blekko.com isn't on censorsweeper's list!
> Referer is blocked to HTTPS, at least.
A while ago I was sad to learn that https->https passes referer. We
have not yet implemented referer blocking in blekko: we know we have
to, and there are a couple of good implementation examples out there.
-- greg
More information about the HTTPS-everywhere
mailing list