[HTTPS-Everywhere] Turning HSTS headers into HTTPS Everywhere rules?
yan
yan at mit.edu
Thu Sep 11 21:12:18 PDT 2014
Some of the work is done already. There's a script in utils/ to fetch
the chromium preload list and turn it into rulesets automatically;
someone should run it and commit the new rulesets. :)
I suspect that in FF and Chrome, HSTS happens earlier in the request
pipeline before HTTPS Everywhere rewrites.
One potential downfall is that this would make the ruleset list very
large, and HTTPS Everywhere is probably less efficient at doing its job
than HSTS.
-Yan
On 09/11/2014 07:43 PM, Lunar wrote:
> Hi!
>
> (Crazy idea of the day:)
>
> How about crawling HTTPS websites, recording HSTS [1] headers, and
> turning the information into HTTPS Everywhere rules automatically?
>
> Has this been ever tried?
>
> Is it a terrible idea?
>
> HSTS headers contain expiration dates, so with the proper database, we
> would know when to return to a given website for updates.
>
> [1]: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
>
More information about the HTTPS-Everywhere
mailing list