[HTTPS-Everywhere] HTTPS Everywhere vs Preloaded HSTS list
Dave Warren
davew at hireahit.com
Tue Mar 17 13:00:04 PDT 2015
On 2015-03-17 11:57, Jacob Hoffman-Andrews wrote:
> On 03/16/2015 11:37 PM, Dave Warren wrote:
>> I'm curious if anyone has ever looked at HTTPS Everywhere's database
>> and considered dropping sites that are in preloaded HSTS lists? -- I'm
>> assuming that part of the performance impact is linked to the number
>> of rules, and under this theory, it seems like reducing the number of
>> rules without reducing security would be a net win.
> I've definitely considered this, but I think it's not likely to be a big
> performance win. As I understand it, there are ~300 hostnames on the
> preloaded list (updated numbers welcome!), vs ~14.5k rulesets in HTTPS
> Everywhere, with many hostnames per ruleset.
I see 1743 "force-https" items from the current Chromium source, 1597 of
those have the "include_subdomains" flag (which might indicate that they
can eliminate multiple hostnames worth of tests in HTTPS Everywhere)
Some domains (e.g. facebook.com) have multiple entries to cover the fact
that facebook.com itself uses force-https and pins to facebook, plus
various subdomains are included with the "include_subdomains" flag on
those subdomains, but this is an exception rather than the rule.
In practice, this means the 1743 "force-https" lines are roughly similar
to HTTPS Everywhere's count of hostnames rather than rule sets. However,
the vast majority are both "force-https" and "include_subdomains" and
therefore might replace multiple tests in HTTPS Everywhere unless
they're similarly wildcarded in HTTPS Everywhere.
I wonder how many of those overlap? I don't have a good way to make that
comparison at this moment, although it probably wouldn't be especially
difficult to do, especially taking the include_subdomains entries into
account, as they might eliminate a large number of hostname hits and
ultimately have a larger performance impact.
It's a shame Chrom(e|ium) doesn't have an API, and that the list is
hardcoded rather than dynamically updated, meaning that potentially
every browser build has a different list, such that from a HTTPS
Everywhere perspective, rules would either need to remain until the
browser update reaches some level of critical mass, or HTTPS Everywhere
would need to add "Only prior to browser version 'x'" conditionals into
the rulesets, which sounds messy and terrible. If there were at least an
API that HTTPS Everywhere could use to read the browser preload list,
HTTPS Everywhere could periodically scan it's lists and disregard the
unneeded rules at the browser level.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
More information about the HTTPS-Everywhere
mailing list