[HTTPS-Everywhere] Turning HSTS headers into HTTPS Everywhere rules?
Jacob S Hoffman-Andrews
jsha at eff.org
Mon Oct 6 08:18:33 PDT 2014
>> This is sort of an odd comment, isn't it? Isn't the fundamental model
>> of https-everywhere to have a ruleset for every site on the web?
>
> I don't think that HTTPS Everywhere can scale to have a rule for
> every web site -- and if the browsers that it runs in are willing to do
> equivalent work in a (potentially) more efficient way, I don't think we
> need to make rules that are redundant with the existing browser behavior.
Agreed. To put it more succinctly, for sites that do at least as
good a job of HTTPS'ing themselves as HTTPS-E does, we would choose
not to include a rule. Practically speaking that means they would
have to have an HSTS preload with includeSubdomains = true in both
Chrome and Firefox.
More information about the HTTPS-Everywhere
mailing list