Not to argue against adding a ruleset, but the domain is in the HSTS-list¹, so the browser will not try to connect to it insecurely.
¹ https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json Kind regards, Joakim 2015-02-05 16:54 GMT+01:00 Daniel Kahn Gillmor <[email protected]>: > On Thu 2015-02-05 05:12:50 -0500, Alexander Buchner wrote: > > On 06.11.2014 13:27, Steven Tress wrote: > >> I've just converted my site to HTTPS. Attached is the ruleset for the > >> site, suggested to be included in the built in repository. > > > > Since your site also supports HSTS there is no need for an extra > > httpsE-rule. > > Alexander, I don't think that's the right analysis. Having an > httpsE-rule avoids an sslstrip attack for people in their first time > visiting, which HSTS does not defend against. > > If i type "steventress.com" into my browser right now (having never > visited it before), my browser will try http://steventress.com/. > > A network-based attacker can simply pretend to be that server (even > proxying the content from the https site so it looks the same). All my > communications will remain in the clear. > > having an httpsE-rule means that as long as i have the extension > installed, i'll never get the cleartext site, even if i've never visited > it before. > > --dkg >
