Jameson Graef Rollins writes: > On Thu, Sep 11 2014, yan <[email protected]> wrote: > > One potential downfall is that this would make the ruleset list very > > large, and HTTPS Everywhere is probably less efficient at doing its job > > than HSTS. > > This is sort of an odd comment, isn't it? Isn't the fundamental model > of https-everywhere to have a ruleset for every site on the web?
I don't think that HTTPS Everywhere can scale to have a rule for every web site -- and if the browsers that it runs in are willing to do equivalent work in a (potentially) more efficient way, I don't think we need to make rules that are redundant with the existing browser behavior. That's why the chromium-preloads.py script, which I wrote a while ago, was written to set platform="firefox" for all of the rules it generated -- the idea was that the rulesets derived from the Chromium preloads list would be redundant in Chromium-based web browsers, but not in Firefox, which at the time didn't have an HSTS preload list. If the Firefox HSTS preload list is being regularly updated from the Chromium list, my view would be that this is largely obsolete now as a source of rulesets. I think there's an interesting discussion to be had about what the best long-term solution for security and scalability will be. We might hope to have a set of safe and scalable security policy mechanisms through which sites can make themselves entirely HTTPS-only, and provide mechanisms, incentives, norms, and/or defaults that help all web sites adopt these mechanisms. Then we wouldn't need to do case-by-case upgrade rules in the first place. But it's not necessarily clear just what that would look like or how we can get there. -- Seth Schoen <[email protected]> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
