Ticket #574 (closed maintenance: duplicate)
EFF: How HTTPS Everywhere affects transitionnetwork.org
Reported by: | chris | Owned by: | chris |
---|---|---|---|
Priority: | major | Milestone: | Maintenance |
Component: | Live server | Keywords: | |
Cc: | ed, jim | Estimated Number of Hours: | 0.0 |
Add Hours to Ticket: | 0 | Billable?: | yes |
Total Hours: | 0 |
Description
The following email was sent via the whois contact details for the transitionnetwork.org domain name, see also ticket:571 -- the changes made on ticket:571 has broken the site for anon Firefox users with the EFF HTTPS Everywhere browser extension installed.
Hi,
You're receiving this note because transitionnetwork.org is part of our HTTPS
Everywhere browser extension, and an upcoming change to the way
Firefox handles HTTPS pages may cause your site to display or function
incorrectly. We want to make sure that the nearly 3 million HTTPS
Everywhere users have the best possible experience while browsing, so
we're asking you to please take a minute and test how your site
behaves in Firefox 23. You can find out more about our software at
https://www.eff.org/https-everywhere
To see the rules affecting your site, you can visit the HTTPS Everywhere
Atlas at
https://www.eff.org/https-everywhere/atlas/domains/transitionnetwork.org.html
The Atlas shows both rules in the development and stable versions of
our extension. Rules in the stable version are used by millions of
users, while development rules are used by tens of thousands of users.
Development rules are now being tested but will be migrated to the stable
version in the future.
An upcoming change (described below) in how the Firefox browser renders
HTTPS content makes it especially important that you check that your site
is prepared for HTTPS access. We urge you review the rules affecting
your site and also to test it using HTTPS Everywhere with the upcoming
version of Firefox.
*NEW FIREFOX CONTENT SECURITY POLICY*: In the upcoming Firefox 23 browser
release, due out the week of August 6, Firefox will stop loading certain
"active" content such as scripts and stylesheets from insecure http://
URLs if they've been included from a secure https:// site. If the HTTPS
Everywhere rules send users to the secure version of your site but the
secure version includes some content loaded over an insecure connetion,
the rendering of your site may become broken for Firefox users with HTTPS
Everywhere installed after they upgrade to Firefox 23. You can check
this by downloading a preview release of Firefox 23, installing HTTPS
Everywhere, and visiting your site. We urge all web site operators
to protect their users by making sure that all site content is always
loaded over a secure connection. A preview version of Firefox 23 is
available now at https://www.mozilla.org/en-US/firefox/beta/ and the
HTTPS Everywhere extension is at https://www.eff.org/https-everywhere
HTTPS Everywhere rules instruct browsers to access certain specified
resources securely -- over HTTPS -- even if the user typed or followed
a non-HTTPS link or even if the resources were included in a page
via a non-HTTPS URL. For example, it might automatically rewrite
http://www.transitionnetwork.org/
to
https://www.transitionnetwork.org/
or make some similar change.
The goal of this rewriting is to protect as much as possible of every web
site against sniffing and tampering by ensuring that as many site resources
as possible are loaded over a secure HTTPS connection.
When web sites are accessed insecurely, users are vulnerable to attacks by
other users on their networks. HTTPS Everywhere aims to activate sites'
existing HTTPS protection more consistently to make sure users are as
well-protected from these attacks as possible -- including attacks like
sidejacking and SSL stripping.
http://www.firesheep.org/
http://www.thoughtcrime.org/sslstrip
As a result, we think there's an emerging consensus to make all web sites
secure, not just financial sites and login pages. Providing a secure
connection helps protect users' login credentials, but also helps protect
their privacy and security even when accessing public resources, for
example by preventing network operators from injecting malware downloads.
The goal of HTTPS Everywhere is to make the web more secure and help
users express their preference to use the secure version of every site
automatically, even on sites where this is not the default. We don't want
to break sites or harm users' experience. So, we encourage webmasters to
test the effect of HTTPS Everywhere on their sites and fix any problems
that result -- ideally, by making sure that all resources that make up
a site are available over HTTPS, using a current, valid certificate.
Although we only include rules that we've been told and believe work
properly, we can't always anticipate whether a rule adversely affects a
site, especially if the site's URL structure, use of CDNs, or level of
HTTPS support changes over time.
We are always happy to receive bug reports, updates, and fixes to HTTPS
Everywhere rules. We will also make rules inactive by default if a
site operator asks us to. Although we are working for a web where
all sites are secure, we are not trying to use this software to force
sites to use HTTPS against their operators' wishes. You can send any
corrections, updates, or requests to https-everywhere-rules@…
(which is a public and publicly-archived mailing list), or by replying
to this e-mail address.
Thanks for your attention!
Seth Schoen, Senior Staff Technologist, Electronic Frontier Foundation
for the HTTPS Everywhere development team
Change History
comment:2 Changed 3 years ago by jim
- Priority changed from blocker to major
- Status changed from new to closed
- Resolution set to duplicate
How on earth is this a blocker?!? Downgrading to something less dramatic.
That aside, this is essentially a dupe of #571 where the issue stems from.
Closing as dupe, lets carry on over there.
Jim this needs your attention too please