[HTTPS-Everywhere] HTTPS Everywhere vs Preloaded HSTS list

Nick Semenkovich nick at semenkovich.com
Tue Mar 17 12:05:55 PDT 2015


On Tue, Mar 17, 2015 at 1:57 PM, Jacob Hoffman-Andrews <jsha at eff.org> wrote:

> On 03/16/2015 11:37 PM, Dave Warren wrote:
> > I'm curious if anyone has ever looked at HTTPS Everywhere's database
> > and considered dropping sites that are in preloaded HSTS lists? -- I'm
> > assuming that part of the performance impact is linked to the number
> > of rules, and under this theory, it seems like reducing the number of
> > rules without reducing security would be a net win.
> I've definitely considered this, but I think it's not likely to be a big
> performance win. As I understand it, there are ~300 hostnames on the
> preloaded list (updated numbers welcome!), vs ~14.5k rulesets in HTTPS
> Everywhere, with many hostnames per ruleset.
>
> I'm extremely interested in improving the performance of HTTPS
> Everywhere with regards to both CPU and RAM. If you are interested in
> doing some work in the area, I would really appreciate it. I think the
> first step would be to do a CPU and RAM profile of the extension under
> some example usage (i.e. open N URLs that have either a top-level
> rewrite or many embedded rewrites).
>

Agreed RE limited performance improvements -- plus there's no way in Chrome
to access the HSTS list (so we can't offload / update the lists with
speculative HTTPSe rules). This might arrive eventually -- see:
https://crbug.com/313965


On the Chrome side of things, we could improve performance / memory usage
*significantly* for some users by using the declarativeWebRequest API:
https://developer.chrome.com/extensions/declarativeWebRequest

Unfortunately, that API is ~permanently in beta, so this would only impact
Chrome beta/dev/nightly users -- and we'd need to maintain the standard
webRequest API in parallel.


- Nick


> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
>



-- 
Nick Semenkovich
Laboratory of Dr. Jeffrey I. Gordon
Medical Scientist Training Program
School of Medicine
Washington University in St. Louis
https://nick.semenkovich.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20150317/988d21d3/attachment.html>


More information about the HTTPS-Everywhere mailing list