[HTTPS-Everywhere] https-only mode: in scope?

[Chris Wilper]

Hi all,

As a user of https-everywhere, first I want to say thanks to the
people involved in developing and maintaining it over the years. It's
a great tool and promotes an important conversation.

When I first came across the extension, one thing I hoped it had was
an https-only mode -- a way to temporarily ensure that no unencrypted
web traffic could possibly leave my browser. Has this been discussed
before in the context of this project? I checked the mailing list
archives and came up short.

I'm sure folks here are familiar with the kinds of use cases that such
an assurance could help with, but here are a couple specific examples
to consider: 1) When I'm at my bank's website I want to make
absolutely sure I don't (accidentally or maliciously) get transferred
over to an unencrypted connection without noticing. 2) When browsing
anonymously with Tor, I don't want any unencrypted traffic to ever
pass through an exit node.

Anyway, I'd really like to see a mode like this integrated into
https-everywhere if it would be considered in-scope for the project.
Something like a quick toggle ability and indication in the toolbar
button graphic that you're in https-only mode. When in this mode,
non-https requests would simply fail before leaving the browser.

As a proof of concept, I did a standalone Firefox extension that does
this and put it up here: https://github.com/cwilper/http-nowhere  If
there's support for having this kind of capability directly in
https-everywhere, I'd be glad to start hacking away at it in that
context, with as much guidance as the committers are willing to
provide. Failing that, I'd probably just continue on the standalone
route. Thoughts?

Thanks,
Chris