[HTTPS-Everywhere] Stupid Perl Tricks: ssl_check2.pl
Peter Eckersley
pde at eff.org
Sun Nov 7 14:04:31 PST 2010
On Sat, Nov 06, 2010 at 05:51:30AM -0400, Flamsmark wrote:
> If a mature version of this sort of script is produced, is it possible that
> (distant) future versions of the addon might do opportunistic https even for
> sites where there isn't a rule?
There are some significant hurdles to this approach. Consider the case of a
currently known bug in the Facebook rule, which is that it Facebook's "chat"
feature is broken over HTTPS. What would a script need to do to establish
that?
1. Log in to Facebook
2. Execute a bunch of JavaScript for the chat feature
3. Determine that the difference between the chat states ("chat not enabled" vs
"chat enabled" vs "receiving a message from person X") and work out which
one is okay
4. Accept the risk that the JavaScript you're messing with isn't idempotent,
ie, you might accidentally click a "delete my account" button.
It's hard to do 1. over HTTP at runtime without giving the user a false sense
of security while leaving them exposed to cookie theft.
Also, in the case of Facebook, we know that the chat feature is marginal
enough that we can just put up with it being broken. But in other cases the
breakage may make the site unusuable. The failure of the Amazon rule is
perhaps a good example of how subtle this can be
(https://mail1.eff.org/pipermail/https-everywhere/2010-August/000160.html).
Currently, I think these problems are too far-reaching to imagine HTTPS
Everywhere autoprobing sites by default. We could consider offering this kind
of behaviour as an option that users can turn on if they want, of course.
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list