HTTPS Enforcement Suggestions

[pierce]

So I was flipping around with the advanced options last night and realized that noscript now does HTTPS enforcement.

Yippie! Looks awesome so far. I have exactly seven feature requests. All of these features would work fine as options to enable/disable, and I am mostly curious if people think they fall into the scope of what the HTTPS enforcement part of noscript is trying to do.

1. Fingerprinting - I think that when you visit a site, the fingerprint for the leaf cert should be remembered. This would make the security model slightly closer to SSH. This is mostly to prevent mitm from people who actually possess a root CA cert. I understand that people regularly rotate keys, so a warning dialog would need to be in place. It should definitly tell the user to make sure they are on a trusted network before accepting a new fingerprint, and throw up HUGE warnings if the cert is now magically signed by some sketchy bankrupt CA in Russia etc.

2. Verbose View - I use a plugin called CipherFox for this now, but I think the functionality could be extended, and added into noscript. Basically in the status bar, there should be details of the current cert. I would like to see name of the root CA, symm, asymm, and hash algorithms being used to sign the leaf, and expiration date.

3. Password Enforcement - Data from a password field should NEVER be posted across a clear connection. I think that this plugin should automatically upgrade action URLs if it sees that a user is trying to post a password to it. The only site I know of that breaks this is slashdot. I think the feature should allow users to do it if they really want to, but it should prompt them to complain to the website maintainer.

4. Auto Add - I think there should be a feature that adds domains to the enforcement policy the moment it detects that the site supports HTTPS. It can do this passively in the background, or just when users visit HTTPS URLs. It would also be nice if the plugin came preloaded with a list of sites that are known to work well with HTTPS (and maybe their fingerprints as discussed earlier?).

5. Auto Add Exceptions - Much more fragile, but I think there should be UI prompts for adding HTTPS exceptions when the plugin detects that a particular site sucks at HTTPS deployment. For example, search.twitter.com and integratedsearch.twitter.com are both totally accessible from HTTP, but not from HTTPS. Maybe these exceptions would only be temporary, as one would expect these sites to actually start fixing some of these issues.

6. Full Disable - There should be an option (similar to the "allow scripts globally") that allows a user to temporarily disable all HTTPS enforcement. Sucks, but sometimes it is needed to debug and figure out what is going on.

7. Separation - Not really a feature, but eventually as these features get more solid, and numerous, it might be better to separate out the HTTPS enforcement features into their own plugin. Maybe that's blasphemy here, and if so I apologize :-)


I haven't actually read into much of the noscript code, but I do have a bit of firefox extension writing experience, so I can help out if there is a shortage of programmers at the moment. Also, where is the noscript party going to be at in vegas next week :-D I would love to talk about some of this more in person if anyone is going to be down there.

[GµårÐïåñ]

Thanks for your input, just a couple of things. 1. HTTPS enforcement has been a NS feature for a while now, its not recent. 2. Giorgio is a one man operation and he likes it intentionally that way, there is no shortage of programmers, just works better when he does it alone.