I’m trying to update the NewsBlur ruleset for HTTPS Everywhere. Which subdomains don’t support HTTPS? So far I’ve found popular.global.newsblur.com and blog.newsblur.com (and icons.newsblur.com and pages.newsblur.com, but they’re OK because they can be redirected to the S3 URLs). Are there any others I’ve missed?
Alternatively, would you consider adding HTTPS support on those subdomains?
So I’ll switch the page server over to default to https, but the rest are CNAME DNS entries for S3, which means I can’t use https, since the cert won’t match.
That’s fine, from the point of view of HTTPS Everywhere, as it can redirect its users directly to S3 and use Amazon’s cert. It already does this (in the development version) for pages.newsblur.com and icons.newsblur.com.
The problem subdomains (that I know of) are blog.newsblur.com which curently doesn’t serve HTTPS at all, and popular.global.newsblur.com which does but the cert isn’t valid - it’s for *.newsblur.com but that only matches a single level of subdomains.
blog.newsblur.com is a CNAME for tumblr, so not much I can do there either.
For popular.global.newsblur.com, a possible solution might be (if this is easy to do) to add a single-level subdomain as an alias - then HTTPS Everywhere can send its users there. (Or leave it as it is - currently, the extension’s dev version redirects users to the HTTP version of that subdomain. But that’s not ideal, as it also sets the secure flag on the session cookie, so the HTTP site doesn’t see it and assumes you’re logged out).
Wow, you really did your homework. I should probably stick SSL on those, since my certificate is a catch all. I’ll try to get to this today.