Hi all, I was just informed [1](#1118030) that the Firefox browser addon https- everywhere poses a severe security risk in bullseye. It was already removed from Debian in 2023 [2] because it is obsolete nowadays since major web browsers support https-only mode. Apparently the EFF let the https-rulesets.org domain expire which was the source for up-to-date https-rules and a third party registered said domain. The browser addon obtained new rules from this domain and trusts it unconditionally. It appears https-rulesets.org redirects to a known malware site now. For users in bullseye this may pose a severe security risk. Since we cannot restore the old functionality, I requested the removal of https-everywhere. [3] I intend to send a DLA as soon as [3] has been processed by the ftp team. Regards, Markus [1] https://bugs.debian.org/1118030 [2] https://tracker.debian.org/news/1448612/removed-2022511-1-from-unstable/ [3] http://bugs.debian.org/1118045
Attachment:
signature.asc
Description: This is a digitally signed message part