Fwd: How HTTPS Everywhere affects classpath.org

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I believe the included classpath.org hosts are just pointed at FSF servers, so this should not impact anyone but I thought I'd pass it along.

---------- Forwarded message ----------
From: HTTPS Everywhere Project <https-everywhere-notification@xxxxxxx>
Date: Wed, Jul 24, 2013 at 7:36 PM
Subject: How HTTPS Everywhere affects classpath.org
To: cbjones1@xxxxxxxxx, webmaster@xxxxxxxxxxxxx


Hi,

You're receiving this note because classpath.org is part of our HTTPS
Everywhere browser extension, and an upcoming change to the way
Firefox handles HTTPS pages may cause your site to display or function
incorrectly. We want to make sure that the nearly 3 million HTTPS
Everywhere users have the best possible experience while browsing, so
we're asking you to please take a minute and test how your site
behaves in Firefox 23.  You can find out more about our software at

https://www.eff.org/https-everywhere

To see the rules affecting your site, you can visit the HTTPS Everywhere
Atlas at

https://www.eff.org/https-everywhere/atlas/domains/classpath.org.html

The Atlas shows both rules in the development and stable versions of
our extension.  Rules in the stable version are used by millions of
users, while development rules are used by tens of thousands of users.
Development rules are now being tested but will be migrated to the stable
version in the future.

**An upcoming change (described below) in how the Firefox browser renders
HTTPS content makes it especially important that you check that your site
is prepared for HTTPS access.  We urge you review the rules affecting
your site and also to test it using HTTPS Everywhere with the upcoming
version of Firefox.**

*NEW FIREFOX CONTENT SECURITY POLICY*: In the upcoming Firefox 23 browser
release, due out the week of August 6, Firefox will stop loading certain
"active" content such as scripts and stylesheets from insecure http://
URLs if they've been included from a secure https:// site.  If the HTTPS
Everywhere rules send users to the secure version of your site but the
secure version includes some content loaded over an insecure connetion,
the rendering of your site may become broken for Firefox users with HTTPS
Everywhere installed after they upgrade to Firefox 23.  You can check
this by downloading a preview release of Firefox 23, installing HTTPS
Everywhere, and visiting your site.  We urge all web site operators
to protect their users by making sure that all site content is always
loaded over a secure connection.  A preview version of Firefox 23 is
available now at https://www.mozilla.org/en-US/firefox/beta/ and the
HTTPS Everywhere extension is at https://www.eff.org/https-everywhere

HTTPS Everywhere rules instruct browsers to access certain specified
resources securely -- over HTTPS -- even if the user typed or followed
a non-HTTPS link or even if the resources were included in a page
via a non-HTTPS URL.  For example, it might automatically rewrite

http://www.classpath.org/

to

https://www.classpath.org/

or make some similar change.

The goal of this rewriting is to protect as much as possible of every web
site against sniffing and tampering by ensuring that as many site resources
as possible are loaded over a secure HTTPS connection.

When web sites are accessed insecurely, users are vulnerable to attacks by
other users on their networks.  HTTPS Everywhere aims to activate sites'
existing HTTPS protection more consistently to make sure users are as
well-protected from these attacks as possible -- including attacks like
sidejacking and SSL stripping.

http://www.firesheep.org/
http://www.thoughtcrime.org/sslstrip

As a result, we think there's an emerging consensus to make all web sites
secure, not just financial sites and login pages.  Providing a secure
connection helps protect users' login credentials, but also helps protect
their privacy and security even when accessing public resources, for
example by preventing network operators from injecting malware downloads.

The goal of HTTPS Everywhere is to make the web more secure and help
users express their preference to use the secure version of every site
automatically, even on sites where this is not the default.  We don't want
to break sites or harm users' experience.  So, we encourage webmasters to
test the effect of HTTPS Everywhere on their sites and fix any problems
that result -- ideally, by making sure that all resources that make up
a site are available over HTTPS, using a current, valid certificate.
Although we only include rules that we've been told and believe work
properly, we can't always anticipate whether a rule adversely affects a
site, especially if the site's URL structure, use of CDNs, or level of
HTTPS support changes over time.

We are always happy to receive bug reports, updates, and fixes to HTTPS
Everywhere rules.  We will also make rules inactive by default if a
site operator asks us to.  Although we are working for a web where
all sites are secure, we are not trying to use this software to force
sites to use HTTPS against their operators' wishes.  You can send any
corrections, updates, or requests to https-everywhere-rules@xxxxxxx
(which is a public and publicly-archived mailing list), or by replying
to this e-mail address.

Thanks for your attention!

Seth Schoen, Senior Staff Technologist, Electronic Frontier Foundation
for the HTTPS Everywhere development team


[Index of Archives]     [Linux Kernel]     [Linux Cryptography]     [Fedora]     [Fedora Directory]     [Red Hat Development]

  Powered by Linux