[HTTPS-Everywhere] HTTPS Everywhere and Google Mail/Twitter
Peter Eckersley
pde at eff.org
Fri Mar 25 08:54:15 PDT 2011
On Fri, Mar 25, 2011 at 11:51:35AM +0000, Oldak Quill wrote:
> Google Mail uses HTTPS by default, and I'm not sure if HTTPS
> Everywhere plays much of a role in enforcing HTTPS when using Gmail.
It plays a small role for Gmail, which is to prevent SSL stripping -- a
vulnerability you would be exposed to if you manually typed "gmail.com" into
the address bar without HTTPS Everywhere.
http://www.thoughtcrime.org/software/sslstrip/
> So: should I be concerned that HTTP necessary for HTTPS connections to
> be initiated for certain websites?
Great question! You can use a tool like Live HTTP Headers (currently
available for Firefox 3.* but not 4) or Wireshark to investigate situations
like this. Hopefully, what you'll see is that your browser is configured to
require an OCSP response for some domain(s) over HTTP before it completes the
HTTPS handshakes. There are a lot of problems with OCSP that are being
discussed at the moment, but if your client is refusing to function when it
can't do HTTP OCSP that's actually the right behaviour.
If the problem is not OCSP but instead some other HTTP connection, that could
be a serious bug that we need to fix.
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list