[HTTPS-Everywhere] Firefox 17 to feature HSTS pre-load list
Peter Eckersley
pde at eff.org
Fri Oct 5 10:14:58 PDT 2012
On Fri, Oct 05, 2012 at 01:19:36PM +0100, David Crick wrote:
> wondered if the HTTPS Everywhere guys were aware of this:
>
> https://wiki.mozilla.org/index.php?title=Privacy/Features/HSTS_Preload_List&diff=468853&oldid=prev
>
> and how it would interact/duplicate/conflict with HTTPS
> Everywhere.
That's great. HSTS preloading will make a few of the simpler HTTPS Everywhere
rulesets obsolete, IF sites are sending the HSTS header. HSTS preloading
won't help if sites don't send the header, and it can't replace the more
complicated parts of the ruleset library:
https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules
Another issue HTTPS Everywhere is starting to encounter is scalability:
parsing XML and keeping various JS data structures for tens of thousands of
rules is not efficient. At some point we should take the domains that have
simple, HSTS-like rules and stick them into an efficiently compressed
database. Maybe the HSTS-preload database is the right way to do that, or
maybe we should roll our own.
--
Peter Eckersley pde at eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list