[HTTPS-Everywhere] https-only mode: in scope?

Micah Lee micah at eff.org
Tue Aug 20 13:19:51 PDT 2013


Sorry about not responding to this for almost a month. I think
integrating an https-only mode into HTTPS Everywhere would be great. If
you'd like to start hacking on it, please do.

I think that obviously this should default to off, and there should be
some setting to turn it back on. But right now HTTPS Everywhere doesn't
actually have a very robust settings dialog. For now it could just be an
about:config preference, like extensions.https_everywhere.https_only.

Would you want to work on this for both Firefox and Chromium?

On 07/28/2013 08:20 PM, Chris Wilper wrote:
> Hi all,
> 
> As a user of https-everywhere, first I want to say thanks to the
> people involved in developing and maintaining it over the years. It's
> a great tool and promotes an important conversation.
> 
> When I first came across the extension, one thing I hoped it had was
> an https-only mode -- a way to temporarily ensure that no unencrypted
> web traffic could possibly leave my browser. Has this been discussed
> before in the context of this project? I checked the mailing list
> archives and came up short.
> 
> I'm sure folks here are familiar with the kinds of use cases that such
> an assurance could help with, but here are a couple specific examples
> to consider: 1) When I'm at my bank's website I want to make
> absolutely sure I don't (accidentally or maliciously) get transferred
> over to an unencrypted connection without noticing. 2) When browsing
> anonymously with Tor, I don't want any unencrypted traffic to ever
> pass through an exit node.
> 
> Anyway, I'd really like to see a mode like this integrated into
> https-everywhere if it would be considered in-scope for the project.
> Something like a quick toggle ability and indication in the toolbar
> button graphic that you're in https-only mode. When in this mode,
> non-https requests would simply fail before leaving the browser.
> 
> As a proof of concept, I did a standalone Firefox extension that does
> this and put it up here: https://github.com/cwilper/http-nowhere  If
> there's support for having this kind of capability directly in
> https-everywhere, I'd be glad to start hacking away at it in that
> context, with as much guidance as the committers are willing to
> provide. Failing that, I'd probably just continue on the standalone
> route. Thoughts?
> 
> Thanks,
> Chris
> 
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
> 


-- 
Micah Lee
Staff Technologist
Electronic Frontier Foundation
https://eff.org/join
@micahflee

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20130820/0e9bf049/attachment.sig>


More information about the HTTPS-everywhere mailing list