[HTTPS-Everywhere] https-only mode: in scope?

Chris Wilper cwilper at gmail.com
Tue Aug 27 07:14:34 PDT 2013 

Hi Micah,

Thanks for getting back. Although I did end up doing this as an independent
extension, I still think it would be great to have an https-only mode
directly in HTTPS Everywhere, and would be glad to work on it. I'm not as
familiar with the Chromium side of things, but I could certainly give it a
shot. I like the idea of just making it an about:config pref for now. Would
it make most sense to do this work against the master branch, or some other
branch?

Also, fyi I just published a blog post yesterday on why I think this kind
of capability is important:
http://rx4g.wordpress.com/2013/08/26/why-browsers-need-encrypted-only-mode/It
mentions HTTPS Everywhere as well as the independent extension I did,
but the the post actually goes further and argues for this as a core
browser feature. I may be in the minority on that opinion, but it did spark
some interesting discussion in /r/netsec (linked from the top of the post).

Thanks,
Chris

On Tue, Aug 20, 2013 at 2:19 PM, Micah Lee <micah at eff.org> wrote:

> Sorry about not responding to this for almost a month. I think
> integrating an https-only mode into HTTPS Everywhere would be great. If
> you'd like to start hacking on it, please do.
>
> I think that obviously this should default to off, and there should be
> some setting to turn it back on. But right now HTTPS Everywhere doesn't
> actually have a very robust settings dialog. For now it could just be an
> about:config preference, like extensions.https_everywhere.https_only.
>
> Would you want to work on this for both Firefox and Chromium?
>
> On 07/28/2013 08:20 PM, Chris Wilper wrote:
> > Hi all,
> >
> > As a user of https-everywhere, first I want to say thanks to the
> > people involved in developing and maintaining it over the years. It's
> > a great tool and promotes an important conversation.
> >
> > When I first came across the extension, one thing I hoped it had was
> > an https-only mode -- a way to temporarily ensure that no unencrypted
> > web traffic could possibly leave my browser. Has this been discussed
> > before in the context of this project? I checked the mailing list
> > archives and came up short.
> >
> > I'm sure folks here are familiar with the kinds of use cases that such
> > an assurance could help with, but here are a couple specific examples
> > to consider: 1) When I'm at my bank's website I want to make
> > absolutely sure I don't (accidentally or maliciously) get transferred
> > over to an unencrypted connection without noticing. 2) When browsing
> > anonymously with Tor, I don't want any unencrypted traffic to ever
> > pass through an exit node.
> >
> > Anyway, I'd really like to see a mode like this integrated into
> > https-everywhere if it would be considered in-scope for the project.
> > Something like a quick toggle ability and indication in the toolbar
> > button graphic that you're in https-only mode. When in this mode,
> > non-https requests would simply fail before leaving the browser.
> >
> > As a proof of concept, I did a standalone Firefox extension that does
> > this and put it up here: https://github.com/cwilper/http-nowhere  If
> > there's support for having this kind of capability directly in
> > https-everywhere, I'd be glad to start hacking away at it in that
> > context, with as much guidance as the committers are willing to
> > provide. Failing that, I'd probably just continue on the standalone
> > route. Thoughts?
> >
> > Thanks,
> > Chris
> >
> > _______________________________________________
> > HTTPS-everywhere mailing list
> > HTTPS-everywhere at mail1.eff.org
> > https://mail1.eff.org/mailman/listinfo/https-everywhere
> >
>
>
> --
> Micah Lee
> Staff Technologist
> Electronic Frontier Foundation
> https://eff.org/join
> @micahflee
>
>
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20130827/e5fd9850/attachment.html>

More information about the HTTPS-everywhere mailing list