[HTTPS-Everywhere] Mixed Content / HTTP redirects
Drake, Brian
brian2 at drakefamily.tk
Sun Dec 19 00:33:55 PST 2010
On Sun, Dec 18, 2010 at 1131 (UTC-8), Chris Palmer <chris at eff.org> wrote:
> On Dec 18, 2010, at 0825 (UTC-8), Drake, Brian wrote:
>
>> With mixed content, Internet Explorer has an option to block it or
>> prompt before displaying it.
>
> [snip]
>
> If HTTPS Everywhere grew this feature, it must not add any new alert windows. If possible, it should get rid of some extraneous alerts.
Unless the user or administrator, as appropriate, chooses otherwise.
The owner of the system should always be in control, not the designer.
> I've been hypothesizing that the way to express that "secure is the new default" is to show a notification (the padlock icon for HTTPS is a "notification") for page-loads that are not 100% secure, and to show no notification when they are 100% secure.
Is secure really the new default (note that the Facebook+ ruleset is
off by default)?
> http://www.usenix.org/event/upsec08/tech/full_papers/cranor/cranor.pdf
>
> I could be talked off the ledge and into showing a notification for the secure state too, though. :)
When it comes to my own system, I want to be in the loop. I can say
from experience that if I was in charge of a corporate system, I’d
probably want to keep (particularly novice) users out of the loop, as
the paper suggests.
> I like Brian's idea, but I'm sadly too busy with other things to hack on HTTPS Everywhere. I leave this to you all to decide on. Feel free to submit a patch, Brian. :)
I intend to, as soon as I figure out how to write Firefox add-ons…
(I’m reading about them now, but as I only have production systems to
test my work on, I need to do this right, not quick.)
More information about the HTTPS-everywhere
mailing list