HTTPS Everywhere Firefox addon

Talk about internet security, computer security, personal security, your social security number...
Post Reply
mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

HTTPS Everywhere Firefox addon

Post by mik33mik » Fri May 28, 2010 8:41 am

http://archives.seul.org/or/talk/May-2010/msg00293.html
From: Mike Perry

Peter Eckersley of the EFF and I wrote this addon this past week
to make it easier to use Google's SSL search feature, among other
mixed-mode SSL sites:

https://www.eff.org/https-everywhere/

The addon is based on the NoScript STS/HTTPS forcing engine, with
improvements in how rules are specified. Rules for our addon are
specified as XML files that allow arbitrary URL rewrite substitution
via regular expressions and exclude patterns. This allows us to write
more complete and less error-prone rules than NoScript's
include/exclude model allows.

The eventual idea is to allow an Adblock Plus style model, where users
can submit and exchange rule files and eventually create subscriptions
for the sites they use that partially support SSL.

We also hope that NoScript will share our rule format and update
mechanisms, so that our rulesets will be interchangeable.

Please give it a try and give us feedback. We also will be including
the addon in the next alpha release of the Tor Browser Bundle.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: HTTPS Everywhere Firefox addon

Post by luntrus » Fri May 28, 2010 9:23 pm

Hi developers of this add-on,

Installed it in flock, and will test it and give my opinion later. Upon installing I got this error:
Error: [Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIWebProgress.addProgressListener]" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: file:///C:/Users/luntrus/AppData/Roaming/Flock/Browser/Profiles/1t....vh5.default/extensions/https-everywhere@eff.org/components/https-everywhere.js :: anonymous :: line 193" data: no]
Source File: file:///C:/Users/luntrus/AppData/Roaming/Flock/Browser/Profiles/1th...h5.default/extensions/https-everywhere@eff.org/components/https-everywhere.js
Line: 193 which translates to:

Code: Select all

    dls.addProgressListener(this, CI.nsIWebProgress.NOTIFY_STATE_REQUEST); 

Is this a bug or due to the workings of NS and/or RP extension....
Also experience an initial common "orderedIncidents breakpad service" error - aka an ordinary browser crash,
second time browser with the installed extension launched and was tarted up OK....

luntrus
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.16) Gecko/2010010414 Firefox/3.0.16 Flock/2.5.6

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3347
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: NoScript Sightings

Post by GµårÐïåñ » Fri Jun 18, 2010 10:17 pm

What are your thoughts on this extension? Do you recommend its use?
I gave it a quick look-see and it seems to be simply limited to a hard list of sites (about 10 ish)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

User avatar
Giorgio Maone
Site Admin
Posts: 8934
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript Sightings

Post by Giorgio Maone » Fri Jun 18, 2010 10:50 pm

GµårÐïåñ wrote:What are your thoughts on this extension? Do you recommend its use?

Of course I can't recommend it if you're using NoScript, because it would just be bloat (80% of its code is duplicated almost verbatim from NoScript). For the same reason, if you're not a NoScript user, you may want to try it because its code is very good, even though I can't guarantee about future maintenance :)

That said, if you're security minded but you're not a NoScript user, maybe you're not a NoScript user for the wrong reason.
There's this ongoing misconception: "Yes, NoScript gives this protection too, but script blocking is too much an inconvenience so I pass". Well, do you know you can actually have your cake and eat it too?

I think people should be more informed about the fact that whitelist script blocking is default (because it's safer) but it's optional. You can easily turn it to a non-invasive blacklist (Allow scripts globally) and keep all the lots of unique protection features which are completely independent from script blocking, such as anti-XSS, anti-Clickjacking, HTTPS enforcement, ABE and so on.

There's an extension (YesScript) which exists exclusively because people don't know they can have a (much more powerful) blacklist mode in NoScript itself (while retaining the additional protections). This "HTTPS Everywhere" smells similar to me...
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3347
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: NoScript Sightings

Post by GµårÐïåñ » Sat Jun 19, 2010 2:49 am

Got it, thank you for the detailed explanation. Shame they stole your code (well technically not stealing but still) and I always feel that solutions that are anti-NS create a false sense of security and people don't understand the implications of their choices. Oh well, their loss. All we can do is provide them the solution, the tools and the support, what more can anyone expect?
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: NoScript Sightings

Post by Alan Baxter » Sat Jun 19, 2010 3:09 pm

Giorgio Maone wrote:
GµårÐïåñ wrote:What are your thoughts on this extension? Do you recommend its use?

Of course I can't recommend it if you're using NoScript, because it would just be bloat (80% of its code is duplicated almost verbatim from NoScript).

How do I get the same functionality in NoScript? Do I manually add each site to NoScript Options > Advanced > HTTPS > Behavior > Force the following sites to use secure (HTTPS) connections:?

Wouldn't it be easier to just install the extension?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4

User avatar
Giorgio Maone
Site Admin
Posts: 8934
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript Sightings

Post by Giorgio Maone » Sat Jun 19, 2010 4:02 pm

Alan Baxter wrote:
Giorgio Maone wrote:
GµårÐïåñ wrote:What are your thoughts on this extension? Do you recommend its use?

Of course I can't recommend it if you're using NoScript, because it would just be bloat (80% of its code is duplicated almost verbatim from NoScript).

How do I get the same functionality in NoScript? Do I manually add each site to NoScript Options > Advanced > HTTPS > Behavior > Force the following sites to use secure (HTTPS) connections:?

Currently yes. If the inconvenience is not having a pre-defined list of sites which should get the force treatment I can very easily backport (or just drop-in) their HTTPRules module (which BTW is just 8KB, versus the 45KB of the 5 modules from NoScript which make the rest of this extension) and deploy their rules by default. However I've heard that, for instance, they break some Facebook functionalities, so I hope their format is as easy to manual edit as NoScript's UI.
Alan Baxter wrote:Wouldn't it be easier to just install the extension?

Maybe (right now), but if you keep both I can't guarantee they won't clash, since they share the very same edgy tricks & hacks, albeit duplicated (with double overhead).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: NoScript Sightings

Post by Alan Baxter » Sat Jun 19, 2010 5:08 pm

Giorgio Maone wrote:
Alan Baxter wrote:How do I get the same functionality in NoScript? Do I manually add each site to NoScript Options > Advanced > HTTPS > Behavior > Force the following sites to use secure (HTTPS) connections:?

Currently yes. If the inconvenience is not having a pre-defined list of sites which should get the force treatment I can very easily backport (or just drop-in) their HTTPRules module (which BTW is just 8KB, versus the 45KB of the 5 modules from NoScript which make the rest of this extension) and deploy their rules by default. However I've heard that, for instance, they break some Facebook functionalities, so I hope their format is as easy to manual edit as NoScript's UI.

Please don't bother on my account. The extension wouldn't be of much use to me anyhow. I do all my browsing from my desktop over a wired DSL. With the exception of Paypal, I'm not concerned about anyone sniffing my traffic with the sites that HTTPS Everywhere supports. I already have paypal and three of my other financial sites entered in NoScript.

Although the NoScript Force HTTPS rules format is simple enough to be usable by a normal user, the rules used by HTTPS Everywhere look much more flexible. For example, adding wikipedia.org or *.wikipedia.org doesn't work in NoScript since wikipedia's secure connection uses a different domain: secure.wikimedia.org. Once again, I don't care to use a secure connection to wikipedia anyhow, but anyone who did might find HTTPS Everywhere attractive.

Alan Baxter wrote:Wouldn't it be easier to just install the extension?

Maybe (right now), but if you keep both I can't guarantee they won't clash, since they share the very same edgy tricks & hacks, albeit duplicated (with double overhead).

Yeah. I installed HTTPS Everywhere in its own profile so there wouldn't be any conflict.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: NoScript Sightings

Post by Thrawn » Sun Dec 09, 2012 11:06 am

Giorgio Maone wrote:If the inconvenience is not having a pre-defined list of sites which should get the force treatment I can very easily backport (or just drop-in) their HTTPRules module (which BTW is just 8KB, versus the 45KB of the 5 modules from NoScript which make the rest of this extension) and deploy their rules by default. However I've heard that, for instance, they break some Facebook functionalities, so I hope their format is as easy to manual edit as NoScript's UI.

I would love to have NoScript pick up HTTPS Everywhere rules, not so much to reuse the HTTPS Everywhere list, but to integrate with HTTPS Finder. It allows you to easily add HTTPS Everywhere rules for sites where HTTPS support is detected.

The other option would be to have HTTPS Finder automatically add NoScript rules, but when approached about that, the developer said that he wouldn't do anything to modify NoScript's behavior without consulting Giorgio (and I don't think he ever did contact Giorgio).
Mozilla/5.0 (Windows NT 5.1; rv:15.3) Gecko/20121108 Firefox/15.3 PaleMoon/15.3

Post Reply