HTTPS Everywhere Firefox addon

[mik33mik]

http://archives.seul.org/or/talk/May-2010/msg00293.html
From: Mike Perry

Peter Eckersley of the EFF and I wrote this addon this past week
to make it easier to use Google's SSL search feature, among other
mixed-mode SSL sites:

https://www.eff.org/https-everywhere/

The addon is based on the NoScript STS/HTTPS forcing engine, with
improvements in how rules are specified. Rules for our addon are
specified as XML files that allow arbitrary URL rewrite substitution
via regular expressions and exclude patterns. This allows us to write
more complete and less error-prone rules than NoScript's
include/exclude model allows.

The eventual idea is to allow an Adblock Plus style model, where users
can submit and exchange rule files and eventually create subscriptions
for the sites they use that partially support SSL.

We also hope that NoScript will share our rule format and update
mechanisms, so that our rulesets will be interchangeable.

Please give it a try and give us feedback. We also will be including
the addon in the next alpha release of the Tor Browser Bundle.

[luntrus]

Hi developers of this add-on,

Installed it in flock, and will test it and give my opinion later. Upon installing I got this error:
Error: [Exception... "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIWebProgress.addProgressListener]" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: file:///C:/Users/luntrus/AppData/Roaming/Flock/Browser/Profiles/1t....vh5.default/extensions/https-everywhere@eff.org/components/https-everywhere.js :: anonymous :: line 193" data: no]
Source File: file:///C:/Users/luntrus/AppData/Roaming/Flock/Browser/Profiles/1th...h5.default/extensions/https-everywhere@eff.org/components/https-everywhere.js
Line: 193 which translates to:

Code: Select all

    dls.addProgressListener(this, CI.nsIWebProgress.NOTIFY_STATE_REQUEST); 

Is this a bug or due to the workings of NS and/or RP extension....
Also experience an initial common "orderedIncidents breakpad service" error - aka an ordinary browser crash,
second time browser with the installed extension launched and was tarted up OK....

luntrus

[GµårÐïåñ]

What are your thoughts on this extension? Do you recommend its use?
I gave it a quick look-see and it seems to be simply limited to a hard list of sites (about 10 ish)

[Giorgio Maone]

What are your thoughts on this extension? Do you recommend its use?

Of course I can't recommend it if you're using NoScript, because it would just be bloat (80% of its code is duplicated almost verbatim from NoScript). For the same reason, if you're not a NoScript user, you may want to try it because its code is very good, even though I can't guarantee about future maintenance

That said, if you're security minded but you're not a NoScript user, maybe you're not a NoScript user for the wrong reason.
There's this ongoing misconception: "Yes, NoScript gives this protection too, but script blocking is too much an inconvenience so I pass". Well, do you know you can actually have your cake and eat it too?

I think people should be more informed about the fact that whitelist script blocking is default (because it's safer) but it's optional. You can easily turn it to a non-invasive blacklist (Allow scripts globally) and keep all the lots of unique protection features which are completely independent from script blocking, such as anti-XSS, anti-Clickjacking, HTTPS enforcement, ABE and so on.

There's an extension (YesScript) which exists exclusively because people don't know they can have a (much more powerful) blacklist mode in NoScript itself (while retaining the additional protections). This "HTTPS Everywhere" smells similar to me...

[GµårÐïåñ]

Got it, thank you for the detailed explanation. Shame they stole your code (well technically not stealing but still) and I always feel that solutions that are anti-NS create a false sense of security and people don't understand the implications of their choices. Oh well, their loss. All we can do is provide them the solution, the tools and the support, what more can anyone expect?

[Alan Baxter]

What are your thoughts on this extension? Do you recommend its use?

Of course I can't recommend it if you're using NoScript, because it would just be bloat (80% of its code is duplicated almost verbatim from NoScript).

How do I get the same functionality in NoScript? Do I manually add each site to NoScript Options > Advanced > HTTPS > Behavior > Force the following sites to use secure (HTTPS) connections:?

Wouldn't it be easier to just install the extension?

[Giorgio Maone]

What are your thoughts on this extension? Do you recommend its use?

Of course I can't recommend it if you're using NoScript, because it would just be bloat (80% of its code is duplicated almost verbatim from NoScript).

How do I get the same functionality in NoScript? Do I manually add each site to NoScript Options > Advanced > HTTPS > Behavior > Force the following sites to use secure (HTTPS) connections:?

Currently yes. If the inconvenience is not having a pre-defined list of sites which should get the force treatment I can very easily backport (or just drop-in) their HTTPRules module (which BTW is just 8KB, versus the 45KB of the 5 modules from NoScript which make the rest of this extension) and deploy their rules by default. However I've heard that, for instance, they break some Facebook functionalities, so I hope their format is as easy to manual edit as NoScript's UI.

Wouldn't it be easier to just install the extension?

Maybe (right now), but if you keep both I can't guarantee they won't clash, since they share the very same edgy tricks & hacks, albeit duplicated (with double overhead).

[Alan Baxter]

How do I get the same functionality in NoScript? Do I manually add each site to NoScript Options > Advanced > HTTPS > Behavior > Force the following sites to use secure (HTTPS) connections:?

Currently yes. If the inconvenience is not having a pre-defined list of sites which should get the force treatment I can very easily backport (or just drop-in) their HTTPRules module (which BTW is just 8KB, versus the 45KB of the 5 modules from NoScript which make the rest of this extension) and deploy their rules by default. However I've heard that, for instance, they break some Facebook functionalities, so I hope their format is as easy to manual edit as NoScript's UI.

Please don't bother on my account. The extension wouldn't be of much use to me anyhow. I do all my browsing from my desktop over a wired DSL. With the exception of Paypal, I'm not concerned about anyone sniffing my traffic with the sites that HTTPS Everywhere supports. I already have paypal and three of my other financial sites entered in NoScript.

Although the NoScript Force HTTPS rules format is simple enough to be usable by a normal user, the rules used by HTTPS Everywhere look much more flexible. For example, adding wikipedia.org or *.wikipedia.org doesn't work in NoScript since wikipedia's secure connection uses a different domain: secure.wikimedia.org. Once again, I don't care to use a secure connection to wikipedia anyhow, but anyone who did might find HTTPS Everywhere attractive.

Wouldn't it be easier to just install the extension?

Maybe (right now), but if you keep both I can't guarantee they won't clash, since they share the very same edgy tricks & hacks, albeit duplicated (with double overhead).

Yeah. I installed HTTPS Everywhere in its own profile so there wouldn't be any conflict.

[Thrawn]

If the inconvenience is not having a pre-defined list of sites which should get the force treatment I can very easily backport (or just drop-in) their HTTPRules module (which BTW is just 8KB, versus the 45KB of the 5 modules from NoScript which make the rest of this extension) and deploy their rules by default. However I've heard that, for instance, they break some Facebook functionalities, so I hope their format is as easy to manual edit as NoScript's UI.

I would love to have NoScript pick up HTTPS Everywhere rules, not so much to reuse the HTTPS Everywhere list, but to integrate with HTTPS Finder. It allows you to easily add HTTPS Everywhere rules for sites where HTTPS support is detected.

The other option would be to have HTTPS Finder automatically add NoScript rules, but when approached about that, the developer said that he wouldn't do anything to modify NoScript's behavior without consulting Giorgio (and I don't think he ever did contact Giorgio).