[HTTPS-Everywhere] Clarifying the process for testing rulesets

mezzanine at Safe-mail.net mezzanine at Safe-mail.net
Thu Oct 11 00:42:34 PDT 2012 

The page at https://www.eff.org/https-everywhere/rulesets talks about
how to create rulesets and also touches upon the step of testing a
ruleset. Even so, some aspects of how to test a ruleset are unclear.
For example, it may be the case where a specific domain or subdomain
appears to support HTTPS on more than one page, but with the question
as to whether each and every page under the domain supports HTTPS.
Should the tester try to visit and examine almost every page under the
site before submitting the ruleset? For that matter, how much testing
and evaluation is performed on a ruleset after it is submitted? Among
other things, is it the case that a new ruleset may be added to a
development release of HTTPS Everywhere before being added to a
release version? It is one's presumption that it is sufficient to test
a ruleset prior to submission by using it with the HTTPS Everywhere
extension and the Firefox browser, and that it is not necessary to use
the Google Chrome browser, even though the HTTPS Everywhere extension
is available in alpha form for the Chrome browser. Although it seems
sensible to subject a submitted ruleset to a certain amount of post-
submission testing (among other things, screening for potential
security issues), it would also seem advantageous for pre-submission
and post-submission testing of a ruleset to complement each other, and
to avoid (if possible) the situation where the two overlap excessively.

Ticket #2160 (https://trac.torproject.org/projects/tor/ticket/2160) on
the Tor Bug Tracker & Wiki talks about documenting the ruleset review
process for HTTPS Everywhere. The documentation that this ticket would
involve would be meant both for ruleset submitters and also
administrators/reviewers, according to the ticket description. The
rulesets for HTTPS Everywhere include coverage of sites that would
seem to be very large, such as sites for certain universities. Has
anyone had any experience or any comments regarding testing rulesets
prior to submitting them, particularly rulesets for large sites?

--Richard

More information about the HTTPS-everywhere mailing list