Hi all I'm not very happy with the new ruleset style guide.
Before, It was easy to made rule like *.secure.example => https. Now I would have to write a bulk of test for that. But when I follow the guide and create foo.secure.example and bar.secure.example I'm not protected if an attacker creates a new subdomain evil.secure.example. With wildcard rules I would get a cert failure, but with the new style guide the client would connect to this side over http. (See also HSTS includeSubdomains) So the new style guide makes it more complicated to write secure rules. Another point are bad servers, that have only a valid cert for the www prefix. Sadly, that's a very common case. Before it was easy to rewrite to www, but now I have to write a test for each redirect. I think this overkill is not planned to be the goal of the ruleset tests. regards, Jonas
signature.asc
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
