[HTTPS-Everywhere] Feedback on HTTPS Everywhere

Sun Sep 19 23:00:58 PDT 2010

I'll bite.

Some ISPs (e.g. Comcast) use transparent caching servers to speed up access
to frequently-requested URLs.  Using SSL for these connections precludes
transparent caching, as your ISP (should) never see the full URL for an SSL
request. Instead of responding quickly with a ready-to-go image from a
server on their network, they have to pass the request on up to the original
site.  The original site may be considerably farther away (ping-wise) than
the caching server.  The original site may also experience considerably more
load than your ISPs caching server (serving one batch of clients vs. the
rest of the internet).  SSL connections take longer to set up and tear down
than normal TCP connections (handshaking, key exchange, etc).  All of these
factors add up to a client experience that is slower, but more resistant to
logging and malicious packet injection.  You trade some lost performance for
some gained security.

Side note 1:  "http" DTD references and "http-equiv" headers are not
necessarily insecure URLs.  Please be careful where you point your
highlighter.

Side note 2:  If I remember correctly,* even if a page or HTML document
contains insecure http:// references*, those references will be fetched over
and SSL connection if HTTPS Everywhere has a rule that matches the
reference.  (Example:  If http://www.cnn.com calls for an image from
http://timewarnercdn.net/images/blahblahblah/omgwtfbbqsauce.jpg  and HTTPS
Everywhere has a rule for http://timewarnercdn.net ->
https://timewarnercdn.net, the image *should *be fetched over an SSL
connection. )   In other words, even "insecure" Facebook pictures can
fetched over an SSL connection, albeit at a slower speed (see above).

On Sat, Sep 18, 2010 at 7:42 AM, Vegan <vegan at riseup.net> wrote:

>  EFF HTTPS EVERYWHERE Firefox XPI Plug-in Performance using FACEBOOK!
>
> * *
>
> *FEEDBACK*
>
> After downloading from the EFF website and having installed the Firefox XPI
> Plug-in called “HTTPS Everywhere” version 0.2.2 in the Firefox version
> 3.6.10, running on a Windows XP Pro SP3 operating system the following
> condition was experienced.
>
>
>
> When I select the option from the HTTPS EVERYWHERE application to use SSL
> on FACEBOOK, it does NOT redirect the “active web content” that Facebook
> makes use of. In fact, there is NO warning in Firefox, that “active web
> content” isn’t using SSL on a SSL encrypted website, unlike Microsoft
> Internet Explorer, tested in v6 and v7, which does pop up a security warning
> asking the browser user if they want to display non secure items!
>
>
>
>
>
>
> So is the EFF HTTPS EVERYWHERE Firefox Plug-in looking like a big bank
> vault for customers (Firefox users) with a gapping hole in the back side?
>
>
>
> Sure enough, when one checks the “html code” on the Facebook web pages,
> there is plenty of non secure URL’s and non secure active web content!
>
>
>
>
>
>
> An additional issue when using the EFF HTTPS Everywhere was when attempting
> to view any FACEBOOK photo album, which either doesn’t display completely or
> takes a rather long time to display all of the photos (thumbnail views) with
> additional F5 webpage refreshes required.
>
>
>
> Just for the sake of testing, I tried using Facebook on different PC’s by
> switching between “http” and “https” to see what happens. In all cases, when
> Facebook was using SSL it had problems displaying photos, whereas non secure
> “http” was blazing fast, without needing the web page to be refreshed.
>
>
>
> How does using SSL prevent loading (displaying) photos that are sent
> encrypted using SSL? I’m NOT a web designer, just take a look here below…
>
>
>
>
>
>
> As you see in the picture above inline, it shows some of the SSL traffic,
> showing those photos to be encrypted, so why does using SSL only on
> Facebook, delay and prevent (missing) photos from displaying. Let, me make
> this more clear, in that some of the photos begin to load and display on the
> Facebook photo album webpage, but many do NOT and some take a very long
> time, from seconds to minutes, to half an hour, just for thumbnails to
> appear! Even when refreshing the web page, which helps to display more
> photos, it still acts like something freezes for the behavior of using SSL
> with Facebook.
>
>
>
> As soon as SSL isn’t used, then those same thumbnail photos load and
> display almost instantly, even a hundred of them at a time. So somehow those
> photos are loaded in a manner that the active web content which isn’t SSL
> traffic produces a delay? I don’t understand, but the PC is working good,
> other websites don’t have this issue, when using SSL traffic. The same
> problem happens on multiple different computers regarding FACEBOOK when
> using the SSL method. So it’s NOT an issue with the PC, or the operating
> system, not the browsers, as different ones were used on different computers
> and all demonstrated the same repeating issue no matter.
>
>
>
> *How to secure Facebook?* So that Facebook is using full SSL/TLS using 256
> bit in Firefox, including active web content? When does a social website for
> which millions are using, get serious with privacy security?
>
>
>
> Thanks for reading!
>
>
>
> Sincerely,
>
> V
>
>
>
>
>
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20100919/8c32cb32/attachment.html>