[HTTPS-Everywhere] https-only mode: in scope?

[Yan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Chris!

This is really clever, and blocking HTTP by default unless whitelisted
is probably preferable for many superusers. Are you still planning on
opening a pull request to HTTPS Everywhere?

- -Yan

> From: *Micah Lee* <micah at eff.org <mailto:micah at eff.org>> Date: Wed,
> Aug 28, 2013 at 2:37 PM Subject: Re: [HTTPS-Everywhere] https-only
> mode: in scope? To: Chris Wilper <cwilper at gmail.com
> <mailto:cwilper at gmail.com>> Cc: https-everywhere at mail2.eff.org
> <mailto:https-everywhere at mail2.eff.org>
> 
> 
> I'd say work in a separate branch until you're confident that it
> works well and doesn't break anything else, and then I can review
> it and merge it into master.
> 
> On 08/27/2013 07:14 AM, Chris Wilper wrote:
>> Hi Micah,
>> 
>> Thanks for getting back. Although I did end up doing this as an 
>> independent extension, I still think it would be great to have
>> an https-only mode directly in HTTPS Everywhere, and would be
>> glad to work on it. I'm not as familiar with the Chromium side of
>> things, but I could certainly give it a shot. I like the idea of
>> just making it an about:config pref for now. Would it make most
>> sense to do this work against the master branch, or some other
>> branch?
>> 
>> Also, fyi I just published a blog post yesterday on why I think
>> this kind of capability is important:
>> 
> http://rx4g.wordpress.com/2013/08/26/why-browsers-need-encrypted-only-mode/
>>
> 
It mentions HTTPS Everywhere as well as the independent extension I did,
>> but the the post actually goes further and argues for this as a
>> core browser feature. I may be in the minority on that opinion,
>> but it did spark some interesting discussion in /r/netsec (linked
>> from the top of the post).
>> 
>> Thanks, Chris
>> 
>> On Tue, Aug 20, 2013 at 2:19 PM, Micah Lee <micah at eff.org
> <mailto:micah at eff.org>
>> <mailto:micah at eff.org <mailto:micah at eff.org>>> wrote:
>> 
>> Sorry about not responding to this for almost a month. I think 
>> integrating an https-only mode into HTTPS Everywhere would be
> great. If
>> you'd like to start hacking on it, please do.
>> 
>> I think that obviously this should default to off, and there
>> should be some setting to turn it back on. But right now HTTPS
>> Everywhere
> doesn't
>> actually have a very robust settings dialog. For now it could
>> just
> be an
>> about:config preference, like
>> extensions.https_everywhere.https_only.
>> 
>> Would you want to work on this for both Firefox and Chromium?
>> 
>> On 07/28/2013 08:20 PM, Chris Wilper wrote:
>>> Hi all,
>>> 
>>> As a user of https-everywhere, first I want to say thanks to
>>> the people involved in developing and maintaining it over the
>>> years.
> It's
>>> a great tool and promotes an important conversation.
>>> 
>>> When I first came across the extension, one thing I hoped it
>>> had was an https-only mode -- a way to temporarily ensure that
>>> no
> unencrypted
>>> web traffic could possibly leave my browser. Has this been
>>> discussed before in the context of this project? I checked the
>>> mailing list archives and came up short.
>>> 
>>> I'm sure folks here are familiar with the kinds of use cases
> that such
>>> an assurance could help with, but here are a couple specific
> examples
>>> to consider: 1) When I'm at my bank's website I want to make 
>>> absolutely sure I don't (accidentally or maliciously) get
> transferred
>>> over to an unencrypted connection without noticing. 2) When
>>> browsing anonymously with Tor, I don't want any unencrypted
>>> traffic to ever pass through an exit node.
>>> 
>>> Anyway, I'd really like to see a mode like this integrated
>>> into https-everywhere if it would be considered in-scope for
>>> the project. Something like a quick toggle ability and
>>> indication in the toolbar button graphic that you're in
>>> https-only mode. When in this mode, non-https requests would
>>> simply fail before leaving the browser.
>>> 
>>> As a proof of concept, I did a standalone Firefox extension
>>> that
> does
>>> this and put it up here:
>>> https://github.com/cwilper/http-nowhere  If there's support for
>>> having this kind of capability directly in https-everywhere,
>>> I'd be glad to start hacking away at it in that context, with
>>> as much guidance as the committers are willing to provide.
>>> Failing that, I'd probably just continue on the standalone 
>>> route. Thoughts?
>>> 
>>> Thanks, Chris
>>> 
>>> _______________________________________________ 
>>> HTTPS-everywhere mailing list HTTPS-everywhere at mail1.eff.org
> <mailto:HTTPS-everywhere at mail1.eff.org> 
> <mailto:HTTPS-everywhere at mail1.eff.org 
> <mailto:HTTPS-everywhere at mail1.eff.org>>
>>> https://mail1.eff.org/mailman/listinfo/https-everywhere
>>> 
>> 
>> 
>> -- Micah Lee Staff Technologist Electronic Frontier Foundation 
>> https://eff.org/join @micahflee
>> 
>> 
>> _______________________________________________ HTTPS-everywhere
>> mailing list HTTPS-everywhere at mail1.eff.org
> <mailto:HTTPS-everywhere at mail1.eff.org> 
> <mailto:HTTPS-everywhere at mail1.eff.org 
> <mailto:HTTPS-everywhere at mail1.eff.org>>
>> https://mail1.eff.org/mailman/listinfo/https-everywhere
>> 
>> 
> 
> 
> -- Micah Lee Staff Technologist Electronic Frontier Foundation 
> https://eff.org/join @micahflee
> 
> 
> _______________________________________________ HTTPS-everywhere
> mailing list HTTPS-everywhere at lists.eff.org
> <mailto:HTTPS-everywhere at lists.eff.org> 
> http://lists.eff.org/cgi-bin/mailman/listinfo/https-everywhere
> 
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJSq5ZQAAoJENC7YDZD/dnsatUH/2QiitwA1VpqxJATm4ly9XbW
Io1Pu+1zmnTmhbeRV5f0uEzqI62NED4rFIc14Emfs1n/ZgKl8sMhWf0fos0dqhjC
MlNnluJpaQESxFo0HZrxBfU1dW4wLMxxL349K/59bJhuAwJjo0NJdBbIhe6TLfvc
TAxXvz+UnteJt6K8I+IQ5b9MhaEU8BTv1Tde9ZW/y+nuoP8a/EtPOan0oGsYfwiT
34YKtBnNPFJveWtvB39w/rKEqswKtpI9tB/FXSsySDTjruYypuEsxbkv5z1uf8re
2wsmyun5zbBOAhWr0IuyLSdRjklKWQgl4p61u8SOqFobRemm15eOAHZoJjt0vJc=
=mnZA
-----END PGP SIGNATURE-----