Https-everywhere: write.amnestyusa.org uses a self-signed cert

Created on 11 Oct 2016 · 5Comments · Source: EFForg/https-everywhere

http://write.amnestyusa.org/signup/ redirects to https://write.amnestyusa.org/signup/

That site currently uses a self signed certificate:
write.amnestyusa.org uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for selfsigned.cloudwaysapps.com Error code: SEC_ERROR_UNKNOWN_ISSUER

I erroneously contacted Amnesty about it, so they are aware, but consider the site content not important enough for SSL. I've asked them to reconsider, but in any case, for now, it's broken.

ruleset-bug

Source

austin987

Most helpful comment

Thank you for bringing this to our attention @austin987!

We're implementing a wildcard SSL for all of our properties in the next week.

schutzsmith on 12 Oct 2016

🎉3

All 5 comments

Hm, thanks for the report, but Amnesty_USA.xml contains no rules for write.amnestyusa.org, and it never has, so HTTPS Everywhere should not be rewriting that request. Do you perhaps have a custom ruleset, or could a different add-in be causing the redirect?

fuglede on 11 Oct 2016

Hi @fuglede,

No, I don't have any custom rulesets. I see this in Firefox and Chromium, where I only have uBlock Origin. Disabling uBlock makes no difference.

The original URL (from an email) was http://www.e-activist.com/ea-action/broadcast.record.message.click.do?ea.url.id=742999&ea.campaigner.email=4DvyaN3Tko8gYHTECbwHV5ku6OPFCMj%2F&ea.campaigner.id=MHk1zxzJpriZkArzVWMSmA==&ea_broadcast_target_id=0

which, if I have HTTPS-E disabled, goes to http://write.amnestyusa.org/signup/. Perhaps some redirect magic is at play?

austin987 on 11 Oct 2016

There's an e-activist.com rule that rewrites the URL in the previous comment from http to https. I guess the people who run e-activist.com have it set up so that if their URL is https, the target URL is https, and the same for http.