[HTTPS-Everywhere] Sites that already enforce HTTPS
Seth David Schoen
schoen at eff.org
Wed Aug 31 17:31:32 PDT 2011
Erik Harris writes:
> On 8/31/2011 8:08 PM, Maxim Nazarenko wrote:
> >I feel that if https is 100% enforced on the server's end then the
> >corresponding rule should be commented in the source (and striped
> >during the build process).
>
> My understanding has always been that the value of using
> HTTPS-Everywhere with sites that enforce HTTPS on the server side is
> that it prevents the initial non-secure connection. If a site
> enforces HTTPS on its side, it intercepts an HTTP request and
> forwards it to its secure server. There's still an initial unsecure
> connection that can be intercepted (I'm not sure I buy that there's
> any significant risk to that, but it's still an unsecure
> connection). With HTTPS-Everywhere, the HTTP request is converted to
> HTTPS on *your* side, so no unsecure connection is ever initiated.
>
> In other words, I've been lead to believe that including HTTPS-only
> sites in HTTPS-Everywhere was intentional, and was done for a
> reason.
That's right. See
http://www.thoughtcrime.org/software/sslstrip/
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list