#5686: Many rules fail to initiate rewrite to https & some that do produce
insecure sessions
-------------------------------------+--------------------------------------
Reporter: torcoascor | Owner: pde
Type: defect | Status: reopened
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Resolution: | Keywords:
Parent: | Points:
Actualpoints: |
-------------------------------------+--------------------------------------
Comment(by torcoascor):
Thanks for your response. I see my HTTPS Everywhere has been updated to
2.0.3. However, when I enter www.ibm.com/us/en I do not get a rewrite.
What appears is the same as what was entered, www.ibm.com/us/en, and there
is no identity verified in the FF Site Identity Button.
With regard to the Symantec Ruleset. I had seen in the projects/https-
everywhere.git/blob the following: [https-
everywhere.git]/src/chrom/content/rules/Symantec.xml which led me to
believe that extensive ruleset was in use. Though I now see the annotation
"Fix various convergence integration & self-signing bugs" associated with
it and I don't see a recognizable name for it in the HTTPS Everywhere
control window.
I ran 21 tests on 18 sites comparing the results between FF with HTTPS
Everywhere 2.0.3 to Chrome without the beta HTTPS Everywhere. In addition
to www.ibm.com/us/en I found the following failure on my system to
rewrite:
mcafee.com or www.mcafee.com/us/
But in addition, where rewrites did appear to be correct such as
nytimes.com to https://www.nytimes.com/, panasonic.com to
https://www.panasonic.com/ and nokia.com https://www.nokia.com/us-en/ the
FF Site Identity Button was greyed out indicating site not identified and
no encrypted session established. Yet if I navigate to those rewritten
urls using Chrome, the site identify is verified and encryption is present
though content is mixed.
I am still researching the possibility I have been infected or that my FF
installation is corrupted or compromised. However, I have done a short
version of the same tests on another workstation using www.ibm.com/us/en/
and www.mcafee.com/us/. Results for ibm and mcafee are the same as on my
workstation. However, entering www.mcafee.com produces www.mcafee.com/us/
with the Site ID Button greyed out. Entering www.mcafee.com/us/ produces
the same result www.mcafee.com/us/ with the Site ID Button greyed out.
HOWEVER, entering www.mcafee.com/us [notice the final forward slash is
missing] produces the same result www.mcafee.com/us/ but in this case the
Site ID Button is blue and contains verified site and encryption
information. I tried removing the final forward slash from the ibm string
as www.ibm.com/us/en and www.ibm.com/us but both continue to fail to
rewrite on both workstations and the Site ID Button is greyed out. For
both the IBM and the McAfee sites entering the full form https:// url
results in verified sites and encryption information using FF.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5686#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online