[HTTPS-Everywhere] When is appropriate to add rules
Peter Eckersley
pde at eff.org
Sat Jul 3 12:31:02 PDT 2010
If a site answers http and https, but every link on the site points to http,
that is a perfect time to add a ruleset.
HTTPS Everywhere catches the requests before they are sent, and replaces the
http with an https.
If you write a ruleset, you can test that it is working comprehensively by
using tools like Live HTTPS Headers (easy) or Wireshark (harder, but probably
more trustworthy).
An example of a site where there is *no* point in adding a ruleset is one
where the site answers every request over HTTPS, but responds with a 302
redirect back to HTTP. HTTPS Everywhere's loop detection code would prevent
that site from breaking, but there would be a performance cost, and no benefit
would be obtained.
On Sat, Jul 03, 2010 at 03:05:36PM +0100, No http wrote:
> I am a little unclear as to whether one should use https-everywhere if
> a website has https support but all links on the site are hard coded
> to go to http://somesite/somepage.
>
> This would result the first time you connect to the site,
> https-everywhere redirecting from http -> https, but then every
> subsequent page you go to will go from the https (page1) -> http
> (page2)-> https (page2).
>
> In this scenario is there any real point in creating rules as you are
> essentially going to be leaving the SSL session for each new page you
> go to.
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list