[email protected] writes: > On Thu, May 27, 2010 at 07:34:01PM -0700, [email protected] wrote 1.7K > bytes in 51 lines about: > : The eventual idea is to allow an Adblock Plus style model, where users > : can submit and exchange rule files and eventually create subscriptions > : for the sites they use that partially support SSL. > > Perhaps this is a dumb question, why not try the https:// version of > every http site the user requests? If it works, reload to the https > url.
Three examples of sites that are broken by this are Google, Facebook, and LibraryThing, simply because they violate the assumption that the HTTPS and HTTP sites are sufficiently identical to be used interchangeably. We think there are several others out there like this. In fact there are many potential concerns about sites that expose only a _portion_ of their resources in HTTPS, or that provide different things in the HTTPS and HTTP versions. This basically goes to the question of what "if it works" means. Peter points out that many virtual hosters don't yet support SNI, which means that name-based virtual hosts that are distinct in HTTP won't appear distinct in HTTPS (and users who access those hosts via HTTPS will get a single default site in place of several distinct sites). In that case the content will be extremely different, and wrong, but the site will still return an HTTP 200 OK. The presence of a regular expression-based rewrite rule in HTTPS Everywhere basically connotes that a human being checked out the site a bit and believes that the particular resources covered by the rule are safe to rewrite this way, without breaking other things. -- Seth Schoen Senior Staff Technologist [email protected] Electronic Frontier Foundation http://www.eff.org/ 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
