[HTTPS-Everywhere] HTTPS Everywhere 3.3 is released

Micah Lee micah at eff.org
Sat Jul 27 11:39:38 PDT 2013 

Hey everyone, we did a major release last night.

Firefox 23 comes out on August 6 and it comes with a Mixed Content
Blocker (MCB) turned on by default. On websites that have https:// in
the URL, FF will automatically block active http:// resources, such as
js and css files.

This meant that if we didn't fix things quickly, large parts of the web
would look broken for our users.

We decided to automate testing all of the stable rulesets to figure out
which ones trigger the MCB in FF23 [1], and mark those as
platform="mixedcontent", and also make FF23+ disable mixed content rules
by default [2].

If you're using HTTPS Everywhere 3.3 pre-Firefox 23:
2664 rules are on by default
371 rules are off by default

If you're using HTTPS Everywhere 3.3 post-Firefox 23:
1910 rules are on by default
1125 rules are off by default

So we've had to disable roughly 28% of our rules because they caused
mixed content problems and won't work correctly post-FF23.

It's important to keep in mind that HTTPS websites with mixed content
are not secure against active attackers, which means that the 754 rules
that will be disabled by default didn't offer the most protection anyway.

It's possible that some rules marked as mixed content are false
positives, and turning them on will work fine. If you notice any of
these, please submit a bug at
https://trac.torproject.org/projects/tor/report/19 or post to the
https-everywhere-rules at eff.org list.

In order to make it so we can disable mixed content rules by default we
had to completely change how rule preferences are saved [3]. Previously
if you wanted to change a rule to be default_off or change the platform
on it to change its default state, you had to rename the rule, which is
why we have some may rules that with "(mixed content)", "(default off)",
or "(buggy)" in the name.

Now all you have to do is change the ruleset and not rename it, and it
will be change by default. Maybe we should rename all of those rules back?

Unfortunately, in order to do this we had to reset everyone's rule
preferences to the default choice. Going forward though we shouldn't
ever have to do that again.

Also, the current release is 3.3.1. Right after doing the 3.3 release I
realized that the Wikimedia rules was marked platform="mixedcontent" and
was a false positive. Since Wikipedia is one of the biggest websites on
the Internet and HTTPS Everywhere users benefit from that rule more than
many others, I made a quick 3.3.1 release that turns it back on by default.

[1] https://trac.torproject.org/projects/tor/ticket/9196
[2] https://trac.torproject.org/projects/tor/ticket/8774
[3] https://trac.torproject.org/projects/tor/ticket/8776

-- 
Micah Lee
Staff Technologist
Electronic Frontier Foundation
https://eff.org/join
@micahflee

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20130727/b1dbc962/attachment.sig>

More information about the HTTPS-everywhere mailing list