[tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Nov 24 00:36:55 UTC 2010
#2199: rules with [^/@:] don't catch all traffic
----------------------------------+-----------------------------------------
Reporter: dkg | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
----------------------------------+-----------------------------------------
Comment(by dkg):
Yes, i'm sure. visiting the URLs directly will trigger firefox's
confirmation prompt, but i'm concerned more about the embedded img src's
which don't seem to be prompted for.
I've placed the following code
[http://lair.fifthhorseman.net/~dkg/personal/https-everywhere-2199.html
online]:
{{{
<html>
<head>
<title>a test</title>
</head>
<body>
<!-- this first one gets loaded in the clear -->
<img src="http://www@duckduckgo.com/nduck.v104.png" />
<!-- https-everywhere intercepts this one and sends it out over https -->
<img src="http://duckduckgo.com/nduck.v104.png" />
</body>
</html>
}}}
If you have firebug installed, open up the net console, and visit
[http://lair.fifthhorseman.net/~dkg/personal/https-everywhere-2199.html
the example] (The net console might close when you switch domains. just
re-open it and refresh the page with ctrl-shift-R)
you should see one request to the duckduckgo servers in the clear (HTTP)
and another one encrypted (HTTPS).
tcpdump + wireshark confirms this behavior for me on a debian squeeze
system with https-everywhere 0.9.0 installed and the duckduckgo rule
enabled.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2199#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list