There’s nothing wrong with the first two points, as has been covered in the previous messages in this thread.
The third point is wrong, and it’s really important to understand why. People (especially uninformed people) usually seem to be focused on encryption – stopping attackers from reading the data. But it’s also important to stop attackers from changing the data. If your computer sends out a request for http://(www\.)?arlanda.se/, an attacker could send a response redirecting you to https://some.evil.website.impersonating.arlanda.se.evil.se/, and many people would think “It’s HTTPS; it must be safe” (sometimes it’s not so obvious that the address is dodgy). But if everything (both arlanda.se and swedavia.se) was covered by HTTPS Everywhere, your computer would never send out any HTTP requests, and you would be safe from this type of attack. This is covered in the HTTPS Everywhere FAQ under “Q. Why does HTTPS Everywhere include rules for sites like PayPal that already require HTTPS on all their pages?”. Therefore, we should keep the EXISTING rules for arlanda.se AND add the NEW rule that you keep asking for. -- Brian Drake All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved. On Mon, Jan 13, 2014 at 0927 [WST (UTC+8)], Joakim Walldén < [email protected]> wrote: > Here is how I see it (without having any experience in creating rules). > > - The current rule ( > https://www.eff.org/https-everywhere/atlas/domains/arlanda.se.html) > leads to a mismatch (see > https://www.ssllabs.com/ssltest/analyze.html?d=arlanda.se) and must be > removed or changed. > - A new rule/ruleset for http://www.swedavia.se to > https://www.swedavia.se is missing and therefore suggested. > - I don’t see that a rule http://(www\.)?arlanda\.se/" to=" > https://www.swedavia.se/arlanda adds anything today, since the site > performs the redirect from alranda.se to swedavia.se/arlanda, and the > suggested new rule(set) for swedavia.se performs the redirect from > http to https. And as already mentioned, if in the future arlanda.seis > used differently, the rule will have to be changed. > > But what’s important now is that the current problem is fixed. > > Thanks and regards, > Joakim > > > 2014/1/13 (UTC) Drake, Brian <[email protected]> > > In my first reply, I only addressed the first part of your first message, >> about the rules already present in the Arlanda.se ruleset. You suggested >> removing those rules. Instead, I suggested combining them into one rule and >> modifying them to use the new domain. >> >> It’s true that they might change the way arlanda.se works, which would >> create a problem with that rule. If the rules were not combined into one, >> the same problem could arise. It’s no reason to remove the rule(s) either, >> because the very nature of this software means that we face the same risk >> with all rules.* >> >> In both your messages, you also suggested adding a new rule to redirect >> http://www.swedavia.se to https://www.swedavia.se. That would have to be >> in a separate rule, and perhaps it should even be in a separate ruleset >> (that would allow either ruleset to be disabled by the user without >> affecting the other one). I don’t have a problem with this suggestion, but >> I can’t do anything about it either, so I didn’t mention it before. >> >> * I’m just stating my opinion, and as far as I know, it’s the basis on >> which other rules are included in the software. Feel free to correct me if >> I’m wrong. >> >> -- >> Brian Drake >> >> All content created by me: >> Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 >> Brian Drake. All rights reserved. >> >> On Mon, Jan 13, 2014 at 0742 [WST (UTC+8)], Joakim Walldén < >> [email protected]> wrote: >> >>> The combined rule would lead to problem if they stop using arlanda.sefor >>> redirecting to >>> swedavia.se, which might happen. And a separate rule for >>> http://www.swedavia.se to https://www.swedavia.se is still usefull. >>> >>> Thanks and regards, >>> Joakim >>> >>> >>> 2014/1/13 (UTC) Drake, Brian <[email protected]> >>> >>> Why remove the rule? Why not just change it to redirect to >>>> www.swedavia.se, like this: >>>> >>>> <rule from="^http://(www\.)?arlanda\.se/" to=" >>>> https://www.swedavia.se/arlanda/"; /> >>>> >>>> (notice how I combined the two rules into one; this pattern is already >>>> used in other rulesets) >>>> >>>> -- >>>> Brian Drake >>>> >>>> All content created by me: >>>> Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© >>>> 2014 Brian Drake. All rights reserved. >>>> >>>> On Fri, Jan 10, 2014 at 1713 (UTC), Joakim Walldén < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> The rule for arlanda.se <http://www.arlanda.se/> ( >>>>> https://www.eff.org/https-everywhere/atlas/domains/arlanda.se.html) >>>>> should be removed, since the domain redirects to www.swedavia.se, >>>>> causing an error. >>>>> >>>>> Instead, a rule for http://www.swedavia.se > https://www.swedavia.se can >>>>> be added. >>>>> >>>>> Tanks and regards, >>>>> Joakim >>>>> >>>>
