[HTTPS-E Rulesets] Suggested ruleset for new HTTPS site

Alexander Buchner alexander.buchner at posteo.de
Thu Feb 5 08:49:00 PST 2015


On 05.02.2015 16:54, Daniel Kahn Gillmor wrote:
> Alexander, I don't think that's the right analysis.  Having an
> httpsE-rule avoids an sslstrip attack for people in their first time
> visiting, which HSTS does not defend against.
> 
> If i type "steventress.com" into my browser right now (having never
> visited it before), my browser will try http://steventress.com/.
> 
> A network-based attacker can simply pretend to be that server (even
> proxying the content from the https site so it looks the same).  All my
> communications will remain in the clear.
> 
> having an httpsE-rule means that as long as i have the extension
> installed, i'll never get the cleartext site, even if i've never visited
> it before.
> 
>            --dkg

Of course you are right! These two measures don't contradict each other.

But I think that HSTS (+ adding it on https://hstspreload.appspot.com/)
is more effective since very few people out there use https everywhere
(btw, are there estimates known?) and it takes rather long for a rule to
get to the stable branch which the majority of people (including all
Chrome users) use.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere-rules/attachments/20150205/27118518/attachment.sig>


More information about the HTTPS-Everywhere-Rules mailing list