[HTTPS-Everywhere] Demo: HTTPS Switch Planner

Mon Dec 30 11:55:28 PST 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Jacob!

I think this is great! I tried out the pre-built crx and it worked
fine. It's nice to see the Chrome version getting these patches all of
a sudden. :)

A couple of requests / ideas:

1. It would be useful to see a list of the URLs that were rewritten
from HTTP to HTTPS by HTTPS Everywhere in addition to the ones that
couldn't be rewritten. I (putting on my web developer hat) could then
just go ahead and change those to HTTPS if they weren't already. [1]

2. Do you think this would make sense as an extension of DevTools? Ex:
https://developer.chrome.com/extensions/devtools.html. This to me
looks like the start of a SSL debugger/profiler panel :). We could
either activate this panel by default whenever someone opens DevTools
or have a toggle on/off item in the HTTPS Everywhere dropdown menu.

3. Should this also show cookie rewrites?

[1] One caveat here is that we rewrite some HTTPS URLs to HTTPS and
sometimes HTTP. We probably shouldn't show these. I'm imagining a
panel in DevTools that displays HTTP URLs detected and rewritten to
HTTPS URLs by onBeforeRequest, minus ones that are blacklisted due to
redirect loops.

Thanks for the patches! This is pretty exciting.

- -Yan

On 12/30/2013 10:37 AM, Jacob Hoffman-Andrews wrote:
> For a web developer considering a switch to HTTPS, the biggest
> obstacle is often Mixed Content, especially from resources external
> to your site (ads, CDN, analytics, etc). Before spending any money
> and time on a certificate, you'd like to know what your
> dependencies are and whether it's even possible to move them to
> HTTPS.
> 
> The idea, in this demo, is that a web developer would (1) Install
> HTTPS Everywhere and enable Switch Planner mode (2) Navigate to all
> the corners of their existing HTTP web site (example.com) (3) Click
> the HTTPS Everywhere icon to get a list of all the third-party
> domains used by example.com and not rewritable by HTTPS 
> Everywhere.
> 
> If the list is empty: You're good to go! You can deploy a
> certificate today, get added to HTTPS Everywhere, and users with
> the plugin will start getting a secure experience right away. You
> can then begin the slow process of rewriting all the references in
> your site's source code, so non-plugin users can be secure too.
> 
> If the list is non-empty: Go through it in priority order and see
> if (a) the third-party domain is actually available under HTTPS,
> but not yet added to HTTPS Everywhere, (b) you can convince the
> third-party operator to implement HTTPS, or (c) you can remove or
> replace the resource.
> 
> This is also a useful tool for savvy users to see what would block
> their favorite sites from switching, and try to get some of the
> dependencies fixed.
> 
> Patches (Chrome-only) attached, and also at 
> https://github.com/jsha/https-everywhere/compare/switchplanner
> 
> Ready-built .crx file to try out: 
> https://jacob.hoffman-andrews.com/hacks/https-everywhere-jsha-switch-planner-demo-v1.crx
>
> 
(and .asc for sig). Try it on any HTTP site, e.g
> http://www.theguardian.com or http://www.washingtonpost.com/. For
> most accurate results turn off any ad blockers first.
> 
> What do you all think? Is this a feature you'd like to see land in 
> master? If so I'll work on a cleaner and more usable patch.
> 
> 
> 
> _______________________________________________ HTTPS-Everywhere
> mailing list HTTPS-Everywhere at lists.eff.org 
> https://lists.eff.org/mailman/listinfo/https-everywhere
> 

- -- 
Yan Zhu                           yan at eff.org
Technologist                      Tel  +1 415 436 9333 x134
Electronic Frontier Foundation    Fax  +1 415 436 9993
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJSwc+tAAoJENC7YDZD/dnsDpEH/RlLmkLlWX869W+N80xm3g8/
RILkoRIykI8vIu428+oOVaFRJ9FcbpHlGshMtmwSbtOb+LAGXHI/+bLzypRCwKGa
P/5b1cVpNj0dQR5fdSgKZuzawo039osNwM3lcCZ8Ic5IsDTdE3YSkoZDlJdvnYWr
qtVDDfZKJnpJkwwnNRy2XziYqJPF4u4bTHWnXUI7JS4d/4derHxhG1TCfT8yb1EF
7QzxWmiL5xpVREU2Zj0t1+vP8FI7eV5lPHmkriiu/7Cs9wur4GKrkk7vmX22kx3A
+jZGZfgiOakvJmDuup+dCCio1XPszYmOO4989n7tHYylmD7Rq2hh9tzWiMt6/28=
=6JUu
-----END PGP SIGNATURE-----