[HTTPS-Everywhere] Stupid Perl Tricks: ssl_check2.pl
Flamsmark
flamsmark at gmail.com
Sun Nov 7 21:50:16 PST 2010
On 7 November 2010 18:04, Peter Eckersley <pde at eff.org> wrote:
> On Sat, Nov 06, 2010 at 05:51:30AM -0400, Flamsmark wrote:
>
> > If a mature version of this sort of script is produced, is it possible
> that
> > (distant) future versions of the addon might do opportunistic https even
> for
> > sites where there isn't a rule?
>
> <snip>
> Currently, I think these problems are too far-reaching to imagine HTTPS
> Everywhere autoprobing sites by default. We could consider offering this
> kind
> of behaviour as an option that users can turn on if they want, of course.
>
Many security or privacy oriented addons - like NoScript and RequestPolicy
break sites by default. They typically come with a small whitelist of things
that are known to safely fix some things, but leave the rest up to the user.
I'm not saying that this is exactly the right approach for HTTPS Everywhere.
It's possible, for instance, that the you'd prefer not to rely on users to
make those sort of security assessments. However, I could certainly see the
value of this approach, for the more sophisticated user at least. I know
that I would appreciate that approach, even if I'm not the typical, or
target user. Even still, most users are savvy enough to identify that a site
is broken, and choose to switch to the other version.
Certainly consider the following hypothetical feature list:
- shipping HTTPS Everywhere with default rules for popular sites known to
work, or not work,
- using HTTPS opportunistically according to such a script (though perhaps
not with JS checks), and
- giving the user a browser menu to over-ride the script's guess when a site
breaks (and optionally save that choice).
Given that this is a popular paradigm for similar extensions, that would
certainly be a feasible approach to take. It doesn't seem like to be outside
the scope of possible development work. For the savvy user - at least - it
would provide the potential for an addon that does roughly what the name
says - HTTPS (almost) everywhere (that it's supported).
Is that a plausible development path?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101108/d8309ea0/attachment.html>
More information about the HTTPS-everywhere
mailing list