-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Chris!
This is really clever, and blocking HTTP by default unless whitelisted is probably preferable for many superusers. Are you still planning on opening a pull request to HTTPS Everywhere? - -Yan > From: *Micah Lee* <[email protected] <mailto:[email protected]>> Date: Wed, > Aug 28, 2013 at 2:37 PM Subject: Re: [HTTPS-Everywhere] https-only > mode: in scope? To: Chris Wilper <[email protected] > <mailto:[email protected]>> Cc: [email protected] > <mailto:[email protected]> > > > I'd say work in a separate branch until you're confident that it > works well and doesn't break anything else, and then I can review > it and merge it into master. > > On 08/27/2013 07:14 AM, Chris Wilper wrote: >> Hi Micah, >> >> Thanks for getting back. Although I did end up doing this as an >> independent extension, I still think it would be great to have >> an https-only mode directly in HTTPS Everywhere, and would be >> glad to work on it. I'm not as familiar with the Chromium side of >> things, but I could certainly give it a shot. I like the idea of >> just making it an about:config pref for now. Would it make most >> sense to do this work against the master branch, or some other >> branch? >> >> Also, fyi I just published a blog post yesterday on why I think >> this kind of capability is important: >> > http://rx4g.wordpress.com/2013/08/26/why-browsers-need-encrypted-only-mode/ >> > It mentions HTTPS Everywhere as well as the independent extension I did, >> but the the post actually goes further and argues for this as a >> core browser feature. I may be in the minority on that opinion, >> but it did spark some interesting discussion in /r/netsec (linked >> from the top of the post). >> >> Thanks, Chris >> >> On Tue, Aug 20, 2013 at 2:19 PM, Micah Lee <[email protected] > <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> >> Sorry about not responding to this for almost a month. I think >> integrating an https-only mode into HTTPS Everywhere would be > great. If >> you'd like to start hacking on it, please do. >> >> I think that obviously this should default to off, and there >> should be some setting to turn it back on. But right now HTTPS >> Everywhere > doesn't >> actually have a very robust settings dialog. For now it could >> just > be an >> about:config preference, like >> extensions.https_everywhere.https_only. >> >> Would you want to work on this for both Firefox and Chromium? >> >> On 07/28/2013 08:20 PM, Chris Wilper wrote: >>> Hi all, >>> >>> As a user of https-everywhere, first I want to say thanks to >>> the people involved in developing and maintaining it over the >>> years. > It's >>> a great tool and promotes an important conversation. >>> >>> When I first came across the extension, one thing I hoped it >>> had was an https-only mode -- a way to temporarily ensure that >>> no > unencrypted >>> web traffic could possibly leave my browser. Has this been >>> discussed before in the context of this project? I checked the >>> mailing list archives and came up short. >>> >>> I'm sure folks here are familiar with the kinds of use cases > that such >>> an assurance could help with, but here are a couple specific > examples >>> to consider: 1) When I'm at my bank's website I want to make >>> absolutely sure I don't (accidentally or maliciously) get > transferred >>> over to an unencrypted connection without noticing. 2) When >>> browsing anonymously with Tor, I don't want any unencrypted >>> traffic to ever pass through an exit node. >>> >>> Anyway, I'd really like to see a mode like this integrated >>> into https-everywhere if it would be considered in-scope for >>> the project. Something like a quick toggle ability and >>> indication in the toolbar button graphic that you're in >>> https-only mode. When in this mode, non-https requests would >>> simply fail before leaving the browser. >>> >>> As a proof of concept, I did a standalone Firefox extension >>> that > does >>> this and put it up here: >>> https://github.com/cwilper/http-nowhere If there's support for >>> having this kind of capability directly in https-everywhere, >>> I'd be glad to start hacking away at it in that context, with >>> as much guidance as the committers are willing to provide. >>> Failing that, I'd probably just continue on the standalone >>> route. Thoughts? >>> >>> Thanks, Chris >>> >>> _______________________________________________ >>> HTTPS-everywhere mailing list [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> >>> https://mail1.eff.org/mailman/listinfo/https-everywhere >>> >> >> >> -- Micah Lee Staff Technologist Electronic Frontier Foundation >> https://eff.org/join @micahflee >> >> >> _______________________________________________ HTTPS-everywhere >> mailing list [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> >> https://mail1.eff.org/mailman/listinfo/https-everywhere >> >> > > > -- Micah Lee Staff Technologist Electronic Frontier Foundation > https://eff.org/join @micahflee > > > _______________________________________________ HTTPS-everywhere > mailing list [email protected] > <mailto:[email protected]> > http://lists.eff.org/cgi-bin/mailman/listinfo/https-everywhere > -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJSq5ZQAAoJENC7YDZD/dnsatUH/2QiitwA1VpqxJATm4ly9XbW Io1Pu+1zmnTmhbeRV5f0uEzqI62NED4rFIc14Emfs1n/ZgKl8sMhWf0fos0dqhjC MlNnluJpaQESxFo0HZrxBfU1dW4wLMxxL349K/59bJhuAwJjo0NJdBbIhe6TLfvc TAxXvz+UnteJt6K8I+IQ5b9MhaEU8BTv1Tde9ZW/y+nuoP8a/EtPOan0oGsYfwiT 34YKtBnNPFJveWtvB39w/rKEqswKtpI9tB/FXSsySDTjruYypuEsxbkv5z1uf8re 2wsmyun5zbBOAhWr0IuyLSdRjklKWQgl4p61u8SOqFobRemm15eOAHZoJjt0vJc= =mnZA -----END PGP SIGNATURE----- _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
