[HTTPS-Everywhere] https-only mode: in scope?

Micah Lee micah at eff.org
Wed Aug 28 14:37:29 PDT 2013 

I'd say work in a separate branch until you're confident that it works
well and doesn't break anything else, and then I can review it and merge
it into master.

On 08/27/2013 07:14 AM, Chris Wilper wrote:
> Hi Micah,
> 
> Thanks for getting back. Although I did end up doing this as an
> independent extension, I still think it would be great to have an
> https-only mode directly in HTTPS Everywhere, and would be glad to work
> on it. I'm not as familiar with the Chromium side of things, but I could
> certainly give it a shot. I like the idea of just making it an
> about:config pref for now. Would it make most sense to do this work
> against the master branch, or some other branch?
> 
> Also, fyi I just published a blog post yesterday on why I think this
> kind of capability is important:
>  http://rx4g.wordpress.com/2013/08/26/why-browsers-need-encrypted-only-mode/
> It mentions HTTPS Everywhere as well as the independent extension I did,
> but the the post actually goes further and argues for this as a core
> browser feature. I may be in the minority on that opinion, but it did
> spark some interesting discussion in /r/netsec (linked from the top of
> the post).
> 
> Thanks,
> Chris
> 
> On Tue, Aug 20, 2013 at 2:19 PM, Micah Lee <micah at eff.org
> <mailto:micah at eff.org>> wrote:
> 
>     Sorry about not responding to this for almost a month. I think
>     integrating an https-only mode into HTTPS Everywhere would be great. If
>     you'd like to start hacking on it, please do.
> 
>     I think that obviously this should default to off, and there should be
>     some setting to turn it back on. But right now HTTPS Everywhere doesn't
>     actually have a very robust settings dialog. For now it could just be an
>     about:config preference, like extensions.https_everywhere.https_only.
> 
>     Would you want to work on this for both Firefox and Chromium?
> 
>     On 07/28/2013 08:20 PM, Chris Wilper wrote:
>     > Hi all,
>     >
>     > As a user of https-everywhere, first I want to say thanks to the
>     > people involved in developing and maintaining it over the years. It's
>     > a great tool and promotes an important conversation.
>     >
>     > When I first came across the extension, one thing I hoped it had was
>     > an https-only mode -- a way to temporarily ensure that no unencrypted
>     > web traffic could possibly leave my browser. Has this been discussed
>     > before in the context of this project? I checked the mailing list
>     > archives and came up short.
>     >
>     > I'm sure folks here are familiar with the kinds of use cases that such
>     > an assurance could help with, but here are a couple specific examples
>     > to consider: 1) When I'm at my bank's website I want to make
>     > absolutely sure I don't (accidentally or maliciously) get transferred
>     > over to an unencrypted connection without noticing. 2) When browsing
>     > anonymously with Tor, I don't want any unencrypted traffic to ever
>     > pass through an exit node.
>     >
>     > Anyway, I'd really like to see a mode like this integrated into
>     > https-everywhere if it would be considered in-scope for the project.
>     > Something like a quick toggle ability and indication in the toolbar
>     > button graphic that you're in https-only mode. When in this mode,
>     > non-https requests would simply fail before leaving the browser.
>     >
>     > As a proof of concept, I did a standalone Firefox extension that does
>     > this and put it up here: https://github.com/cwilper/http-nowhere  If
>     > there's support for having this kind of capability directly in
>     > https-everywhere, I'd be glad to start hacking away at it in that
>     > context, with as much guidance as the committers are willing to
>     > provide. Failing that, I'd probably just continue on the standalone
>     > route. Thoughts?
>     >
>     > Thanks,
>     > Chris
>     >
>     > _______________________________________________
>     > HTTPS-everywhere mailing list
>     > HTTPS-everywhere at mail1.eff.org <mailto:HTTPS-everywhere at mail1.eff.org>
>     > https://mail1.eff.org/mailman/listinfo/https-everywhere
>     >
> 
> 
>     --
>     Micah Lee
>     Staff Technologist
>     Electronic Frontier Foundation
>     https://eff.org/join
>     @micahflee
> 
> 
>     _______________________________________________
>     HTTPS-everywhere mailing list
>     HTTPS-everywhere at mail1.eff.org <mailto:HTTPS-everywhere at mail1.eff.org>
>     https://mail1.eff.org/mailman/listinfo/https-everywhere
> 
> 


-- 
Micah Lee
Staff Technologist
Electronic Frontier Foundation
https://eff.org/join
@micahflee

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20130828/be8223e0/attachment.sig>

More information about the HTTPS-everywhere mailing list