[HTTPS-Everywhere] Proposal: ruleset maintainers and test URLs
Dave Warren
davew at hireahit.com
Mon Aug 18 11:34:20 PDT 2014
On 2014-08-18 11:27, Nick Semenkovich wrote:
>
> On Mon, Aug 18, 2014 at 1:24 PM, Dave Warren <davew at hireahit.com
> <mailto:davew at hireahit.com>> wrote:
>
>
> Like with so many things in security, there is an obvious security
> vs usability tradeoff here, is it better to return an insecure
> version of a page, or an error message and an unusable site?
>
> Obviously if this is a permanent situation, the rule should be
> disabled and removed, but in the case of a temporary error on the
> HTTPS side, I'd be very nervous about automatically removing a
> layer of security.
>
>
>
> Oh definitely -- I was thinking @jsha's proposal was on the
> development / codebase side, not client extension side. Though maybe
> things change so rarely it makes sense to manually validate all
> disabled rules.
I think the same concern applies, ultimately rules will fail, what
action should be taken when a rule fails?
Ideally site operators start submitting their own rules, in which case
you can notify the maintainer and they will either fix the site or the
rule and the issue is resolved. But if the maintainer fails to react? Or
if the maintainer is with EFF or a volunteer, they confirm that the site
isn't responding to HTTPS or is just returning errors but there's no
response from the site itself, what action is taken?
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140818/2b69eb78/attachment.html>
More information about the HTTPS-Everywhere
mailing list