[tor-bugs] #6279 [EFF-HTTPS Everywhere]: Rules: POF / Plenty Of Fish
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Jul 3 01:31:44 UTC 2012
#6279: Rules: POF / Plenty Of Fish
----------------------------------+-----------------------------------------
Reporter: grarpamp | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
1) POF is made up of many more hosts than just (www.)?pof.com.
- Documented observed hosts, implemented compact form with *'s.
(But see Excludes TODO in the case that POF again does not deploy
HTTPS everywhere in the future.)
2) Fixed poor forms
- unnecessary mapping from https to https with 's?'
- unused non-backref '?:'
- mapping www to the domain itself
3) POF is now returning 302 (to HTTP) for all HTTPS requests.
- Therefore the current rules in git are moot and result in POF
falling back via redirection loop to insecure HTTP.
- POF is now completely unencrypted with no HTTPS capability at
all (except for maybe their payment server). Users should be wary
about their privacy, account, and financial integrity when using POF.
printf 'GET / HTTP/1.0\nHost: www.pof.com\n\n' \
| openssl s_client -connect www.pof.com:https -quiet 2>/dev/null
HTTP/1.1 302 Found
Location: http://www.pof.com/
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
4) Due to all this, the attached replacement ruleset is disabled
by default. It should be committed as notes for if/when POF moves
to https in the future.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6279>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list