[HTTPS-Everywhere] 2.0.3 stable and 3.0developent.2 released

Peter Eckersley pde at eff.org
Fri Apr 27 13:58:49 PDT 2012 

Two new HTTPS Everywhere releases went out this morning:

(stable)       https://www.eff.org/files/https-everywhere-2.0.3.xpi
(development)  https://www.eff.org/files/https-everywhere-3.0development.2.xpi

Their respective Changelogs are below:

2.0.3                                       (2012-04-26)

  * Fix a downgrade attack that might allow attackers to deny HTTPS
    Everywhere protection for cookies on some domains.
    https://trac.torproject.org/projects/tor/ticket/5676
  * Minor redirection mechanism fixes
  * Fixes: WordPress, Yandex, OpenDNS, Via.me/AWS
  * Improvements: Mozilla
  * Disable broken: ReadWriteWeb

3.0development.2                            (2012-04-27)
  * License change: the tree now includes some code from Convergence, which 
                    is GPL v3+.  Other code remains licensable as GPLv2+
  * Ship 696 new rulesets (!!!), thanks to a lot of amazing work by Negres
  * Fix a downgrade attack that might allow attackers to deny HTTPS
    Everywhere protection for cookies on some domains.
    https://trac.torproject.org/projects/tor/ticket/5676
  * Fix a weird wrong DOM-origin bug that occurred while redirects were in
    progress (this might have security implications, although we are unsure
    if it was exploitable).
    https://trac.torproject.org/projects/tor/ticket/5477
  * Ruleset fixes: Debian, Kohls, Malwarebytes, Yandex, Wikipedia, Mises.org,
                   OpenDNS, Wizards of the Coast, Lenovo, Barnes and Noble
    https://trac.torproject.org/projects/tor/ticket/5509
    https://trac.torproject.org/projects/tor/ticket/5491
    https://trac.torproject.org/projects/tor/ticket/5303
  * Stumble across more horrible security holes in the Verizon website:
    https://mail1.eff.org/pipermail/https-everywhere-rules/2012-February/001003.html
  * Disable the Gentoo ruleset on non-CAcert platforms
  * Disable buggy rulesets: IBM, Scribd, Wunderground, ReadWriteWeb :( :( :(
    https://trac.torproject.org/projects/tor/ticket/5344
    https://trac.torproject.org/projects/tor/ticket/5435
    https://trac.torproject.org/projects/tor/ticket/5630
  * Better cohabitation between the Decentralized SSL Observatory and
    Convergence
  * Separate Observatory option to control self-signed cert submission
  * Numerous other ruleset enhancements, fixes, and probably exciting new bugs
    in Negres's ruleset changes

-- 
Peter Eckersley                            pde at eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list