[HTTPS-Everywhere] Working version of HTTPS Everywhere for Internet Explorer

Julien Sobrier JSobrier at zscaler.com
Sun Dec 2 20:23:07 PST 2012 

Hello,
I can send the source code for an internal code review. I need to spend more time to make it available, and compilable, to a larger audience.

You will need Visual Studio Professional 2010 to compile the project. I will send you an archive this week.

Julien Sobrier

-----Original Message-----
From: pde at eff.org [mailto:pde at eff.org] 
Sent: Sunday, December 02, 2012 4:29 PM
To: Julien Sobrier
Cc: https-everywhere at EFF.org; gauravkale at vista.aero
Subject: Re: Working version of HTTPS Everywhere for Internet Explorer

Hi Julien,

Can you send the source code around for people to look at?  Plus build instructions, if it won't be obvious how to build it?

On Sun, Dec 02, 2012 at 12:03:53PM -0800, Julien Sobrier wrote:
> Hello,
> I'd like to start releasing HTTPS Everywhere to the public to start getting feedback.
> 
> Here is what is in HTTPS Everywhere 0.0.0.1 for IE:
> * transform HTTP urls to HTTPS according to rules
> * secure cookies according to rules
> * works on Windows XP SP3 to Windows 8, Internet Explorer 6 to 10
> 
> What is not included yet:
> * support for STS
> * UI to manage rules
> * UI to know which rules are triggering on the page
> * latest 3.0 rules (next version)
> * a way to download the latest rules automatically (next version)
> * a way to use custom rules (next version)
> 
> 
> There are some additional limitations that do not exist in Firefox:
> * there may be warnings for mixed HTTP/HTTPS. The extension does modify the HTML source to avoid this, but IE checks the page earlier than we can modify it in some cases.
> * rules have not been tested extensively for Internet Explorer, 
> additions and modifications to the rules might be needed
> 
> Some of the behaviors of the extension are not obvious, I'm working on documenting them. For example, I noticed that Internet Explorer will not follow the redirection from HTTP to HTTPS for some tags (image, script). In that case, we let Internet Explorer believe it is accessing the HTTP url while it is actually going to HTTPS. Similarly, when IE shows a warning "Only secure content is displayed" and the users clicks on "Show all content", all URLs that need to be changed to HTTPS are still changed (although IE is not aware of it). I understand it may sound confusing, but the take away if that the rules are always enforced, regardless of what IE displays. This will be fully explained in the documentation I'm working on.
> 
> Let me know if you would like to try the extension first. It comes as a 1MB installer.
> 
> Thank you
> Julien Sobrier
> 
> -----Original Message-----
> From: pde at eff.org [mailto:pde at eff.org]
> Sent: Monday, October 01, 2012 5:22 PM
> To: Julien Sobrier
> Subject: Re: Working version of HTTPS Everywhere for Internet Explorer
> 
> Merged.
> 
> In most cases from now on I will notice stuff that you push to that repository without you needing to email about them.  But if I doesn't seem to have been merged, either IRC or emailing the list is a good way to prod me or other committers.
> 
> On Thu, Sep 27, 2012 at 01:35:16PM -0700, Julien Sobrier wrote:
> > Hello,
> > I have a few project on github, but I'm not yet familiar with Git.
> > 
> > I did a first commit:
> > https://github.com/juliensobrier/https-everywhere-rules/commit/2fc1b
> > da 80c264ca6772948e2626e69f54e7ee30a Should I send them on IRC, or 
> > by e-mail?
> > 
> > On 9/27/2012 11:13 AM, Peter Eckersley wrote:
> > > On Wed, Sep 26, 2012 at 08:43:45PM -0700, Julien Sobrier wrote:
> > >> Hello,
> > >>  I have a working version of HTTPS Everywhere for Internet Explorer:
> > >> * HTTP/HTTPS transactions are modified, and redirected according 
> > >> to the rules
> > >> * HTTPS cookies are secured according to the rules
> > >>
> > >> I'm testing all the existing rules one by one to make sure the 
> > >> extension works fine, and if any change is needed. I'm finding 
> > >> rules that need to be updated. For example, the rule for 
> > >> 1and1.com does not work very well on Firefox and Internet Explorer. The following exclusion would be needed:
> > >> <exclusion pattern="^https://www\.1and1\.com/(xml/|\?__)"/>
> > >>
> > >> Where should I Send suggestions for changes to the existing rules?
> > > Hi Julien,
> > >
> > > By far the best way to do this is by making the changes in git, 
> > > pushing them to a personal git remote (you can get a free one at 
> > > github), and asking us to merge them.
> > >
> > > There are some tips on how to do that here:
> > >
> > > https://www.eff.org/https-everywhere/development
> > >
> > > Since you're on Windows and git has *nix origins, you might want 
> > > to consult resources like this too:
> > >
> > > http://windows.github.com/help.html
> > >
> > > The IRC channel is a great place to ask questions if you need git 
> > > help, just make sure to stay in the channel so you get the answer 
> > > if it comes hours/days later.  If that is too tricky, you could email Seth and I.
> > >
> > 
> 
> -- 
> Peter Eckersley                            pde at eff.org
> Technology Projects Director      Tel  +1 415 436 9333 x131
> Electronic Frontier Foundation    Fax  +1 415 436 9993

-- 
Peter Eckersley                            pde at eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list