[HTTPS-Everywhere] https-only mode: in scope?
Micah Lee
micah at eff.org
Wed Aug 28 14:37:29 PDT 2013
I'd say work in a separate branch until you're confident that it works
well and doesn't break anything else, and then I can review it and merge
it into master.
On 08/27/2013 07:14 AM, Chris Wilper wrote:
> Hi Micah,
>
> Thanks for getting back. Although I did end up doing this as an
> independent extension, I still think it would be great to have an
> https-only mode directly in HTTPS Everywhere, and would be glad to work
> on it. I'm not as familiar with the Chromium side of things, but I could
> certainly give it a shot. I like the idea of just making it an
> about:config pref for now. Would it make most sense to do this work
> against the master branch, or some other branch?
>
> Also, fyi I just published a blog post yesterday on why I think this
> kind of capability is important:
> http://rx4g.wordpress.com/2013/08/26/why-browsers-need-encrypted-only-mode/
> It mentions HTTPS Everywhere as well as the independent extension I did,
> but the the post actually goes further and argues for this as a core
> browser feature. I may be in the minority on that opinion, but it did
> spark some interesting discussion in /r/netsec (linked from the top of
> the post).
>
> Thanks,
> Chris
>
> On Tue, Aug 20, 2013 at 2:19 PM, Micah Lee <micah at eff.org
> <mailto:micah at eff.org>> wrote:
>
> Sorry about not responding to this for almost a month. I think
> integrating an https-only mode into HTTPS Everywhere would be great. If
> you'd like to start hacking on it, please do.
>
> I think that obviously this should default to off, and there should be
> some setting to turn it back on. But right now HTTPS Everywhere doesn't
> actually have a very robust settings dialog. For now it could just be an
> about:config preference, like extensions.https_everywhere.https_only.
>
> Would you want to work on this for both Firefox and Chromium?
>
> On 07/28/2013 08:20 PM, Chris Wilper wrote:
> > Hi all,
> >
> > As a user of https-everywhere, first I want to say thanks to the
> > people involved in developing and maintaining it over the years. It's
> > a great tool and promotes an important conversation.
> >
> > When I first came across the extension, one thing I hoped it had was
> > an https-only mode -- a way to temporarily ensure that no unencrypted
> > web traffic could possibly leave my browser. Has this been discussed
> > before in the context of this project? I checked the mailing list
> > archives and came up short.
> >
> > I'm sure folks here are familiar with the kinds of use cases that such
> > an assurance could help with, but here are a couple specific examples
> > to consider: 1) When I'm at my bank's website I want to make
> > absolutely sure I don't (accidentally or maliciously) get transferred
> > over to an unencrypted connection without noticing. 2) When browsing
> > anonymously with Tor, I don't want any unencrypted traffic to ever
> > pass through an exit node.
> >
> > Anyway, I'd really like to see a mode like this integrated into
> > https-everywhere if it would be considered in-scope for the project.
> > Something like a quick toggle ability and indication in the toolbar
> > button graphic that you're in https-only mode. When in this mode,
> > non-https requests would simply fail before leaving the browser.
> >
> > As a proof of concept, I did a standalone Firefox extension that does
> > this and put it up here: https://github.com/cwilper/http-nowhere If
> > there's support for having this kind of capability directly in
> > https-everywhere, I'd be glad to start hacking away at it in that
> > context, with as much guidance as the committers are willing to
> > provide. Failing that, I'd probably just continue on the standalone
> > route. Thoughts?
> >
> > Thanks,
> > Chris
> >
> > _______________________________________________
> > HTTPS-everywhere mailing list
> > HTTPS-everywhere at mail1.eff.org <mailto:HTTPS-everywhere at mail1.eff.org>
> > https://mail1.eff.org/mailman/listinfo/https-everywhere
> >
>
>
> --
> Micah Lee
> Staff Technologist
> Electronic Frontier Foundation
> https://eff.org/join
> @micahflee
>
>
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org <mailto:HTTPS-everywhere at mail1.eff.org>
> https://mail1.eff.org/mailman/listinfo/https-everywhere
>
>
--
Micah Lee
Staff Technologist
Electronic Frontier Foundation
https://eff.org/join
@micahflee
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20130828/be8223e0/attachment.sig>
More information about the HTTPS-everywhere
mailing list