On Thu 2015-02-05 05:12:50 -0500, Alexander Buchner wrote: > On 06.11.2014 13:27, Steven Tress wrote: >> I've just converted my site to HTTPS. Attached is the ruleset for the >> site, suggested to be included in the built in repository. > > Since your site also supports HSTS there is no need for an extra > httpsE-rule.
Alexander, I don't think that's the right analysis. Having an httpsE-rule avoids an sslstrip attack for people in their first time visiting, which HSTS does not defend against. If i type "steventress.com" into my browser right now (having never visited it before), my browser will try http://steventress.com/. A network-based attacker can simply pretend to be that server (even proxying the content from the https site so it looks the same). All my communications will remain in the clear. having an httpsE-rule means that as long as i have the extension installed, i'll never get the cleartext site, even if i've never visited it before. --dkg
