[HTTPS-Everywhere] Sites that already enforce HTTPS
Erik Harris
erik at eharrishome.com
Wed Aug 31 17:20:03 PDT 2011
On 8/31/2011 8:08 PM, Maxim Nazarenko wrote:
> I feel that if https is 100% enforced on the server's end then the
> corresponding rule should be commented in the source (and striped
> during the build process).
My understanding has always been that the value of using
HTTPS-Everywhere with sites that enforce HTTPS on the server side is
that it prevents the initial non-secure connection. If a site enforces
HTTPS on its side, it intercepts an HTTP request and forwards it to its
secure server. There's still an initial unsecure connection that can be
intercepted (I'm not sure I buy that there's any significant risk to
that, but it's still an unsecure connection). With HTTPS-Everywhere, the
HTTP request is converted to HTTPS on *your* side, so no unsecure
connection is ever initiated.
In other words, I've been lead to believe that including HTTPS-only
sites in HTTPS-Everywhere was intentional, and was done for a reason.
--
Erik Harris http://www.eHarrisHome.com
"I would rather have a mind opened by wonder than one closed by belief."
- Gerry Spence
More information about the HTTPS-everywhere
mailing list