[HTTPS-Everywhere] Turning HSTS headers into HTTPS Everywhere rules?

[Seth David Schoen]

Jameson Graef Rollins writes:

> On Thu, Sep 11 2014, yan <yan at mit.edu> wrote:
> > One potential downfall is that this would make the ruleset list very
> > large, and HTTPS Everywhere is probably less efficient at doing its job
> > than HSTS.
> 
> This is sort of an odd comment, isn't it?  Isn't the fundamental model
> of https-everywhere to have a ruleset for every site on the web?

I don't think that HTTPS Everywhere can scale to have a rule for
every web site -- and if the browsers that it runs in are willing to do
equivalent work in a (potentially) more efficient way, I don't think we
need to make rules that are redundant with the existing browser behavior.

That's why the chromium-preloads.py script, which I wrote a while ago,
was written to set platform="firefox" for all of the rules it generated --
the idea was that the rulesets derived from the Chromium preloads list
would be redundant in Chromium-based web browsers, but not in Firefox,
which at the time didn't have an HSTS preload list.  If the Firefox HSTS
preload list is being regularly updated from the Chromium list, my view
would be that this is largely obsolete now as a source of rulesets.

I think there's an interesting discussion to be had about what the best
long-term solution for security and scalability will be.  We might hope to
have a set of safe and scalable security policy mechanisms through which
sites can make themselves entirely HTTPS-only, and provide mechanisms,
incentives, norms, and/or defaults that help all web sites adopt these
mechanisms.  Then we wouldn't need to do case-by-case upgrade rules in
the first place.

But it's not necessarily clear just what that would look like or how
we can get there.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107