[HTTPS-Everywhere] Sites that already enforce HTTPS

[Erik Harris]

On 8/31/2011 8:08 PM, Maxim Nazarenko wrote:
> I feel that if https is 100% enforced on the server's end then the
> corresponding rule should be commented in the source (and striped
> during the build process).

My understanding has always been that the value of using 
HTTPS-Everywhere with sites that enforce HTTPS on the server side is 
that it prevents the initial non-secure connection. If a site enforces 
HTTPS on its side, it intercepts an HTTP request and forwards it to its 
secure server. There's still an initial unsecure connection that can be 
intercepted (I'm not sure I buy that there's any significant risk to 
that, but it's still an unsecure connection). With HTTPS-Everywhere, the 
HTTP request is converted to HTTPS on *your* side, so no unsecure 
connection is ever initiated.

In other words, I've been lead to believe that including HTTPS-only 
sites in HTTPS-Everywhere was intentional, and was done for a reason.

-- 

Erik Harris                               http://www.eHarrisHome.com

"I would rather have a mind opened by wonder than one closed by belief." 
- Gerry Spence