New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add option for http URLs to try https first and fallback in case of errors #16488

Closed
pabs3 opened this Issue Sep 6, 2018 · 6 comments

Comments

Projects
None yet
3 participants
@pabs3
Copy link
Contributor

pabs3 commented Sep 6, 2018

Type: feature request

With Firefox < 60 I used a plugin called https-finder that would, for each http URL:

Fetch the https version of the URL instead.
If that succeeded, store the domain as one that should always be https.
If that did not succeed, fetch the original http URL instead.

It would be nice if https-everywhere could do this itself. There are some other options for this but it would be nice to have this in https-everywhere.

https://mybrowseraddon.com/smart-https.html
https://github.com/Rob--W/https-by-default

@Hainish

This comment has been minimized.

Copy link
Member

Hainish commented Sep 6, 2018

From the Smart HTTPS extension description, one weakness is glaring: SH is susceptible to downgrade attacks- a network attacker can simply block HTTPS and it will allow loading HTTP instead.

Also, it will not work on sites where, for instance, the HTTPS endpoint for the same resource is on a separate subdomain or path. That's why we have those rules bundled with the extension. The best solution in this case is to just turn on "Block all unencrypted requests," which does upgrade users connections when they try to access HTTP sites, but also blocks them from accessing HTTP sites if it can't upgrade and gives a warning letting the user decide whether they want to try HTTP instead.

See #7936

@Hainish Hainish closed this Sep 6, 2018

@pabs3

This comment has been minimized.

Copy link
Contributor

pabs3 commented Sep 7, 2018

@anarcat

This comment has been minimized.

Copy link

anarcat commented Sep 7, 2018

i use Smart HTTPS (SH) and would love to switch to https-everywhere (HE), but i am not because such cases are so common. there are still many, many sites that are not inventoried by HE that SH catches. and yes, SH can trivially be hijacked, if you type the URL in cleartext. that is already the case with HE if the site is unknown and "Block all unencrypted requests" is disabled (the default).

So for me, using HE without that setting is insufficient. So i tried to enable it but because it broke on those sites, it made HE unusable. I tried to add an exception for that site, but couldn't figure out how to do so.

I think the current behavior of the "Block" setting would be acceptable if there was a one-click escape hatch somehow (well, two click: click on the extension icon, click on the exception). Is that something that could work?

@Hainish

This comment has been minimized.

Copy link
Member

Hainish commented Sep 7, 2018

@anarcat thanks for this suggestion, I think this is workable. I'll prioritize this feature: #10041

@Hainish

This comment has been minimized.

Copy link
Member

Hainish commented Sep 7, 2018

@pabs3 Thanks for enumerating these possibilities, we may pursue this in the future. But I think the best thing for right now is to at least allow users to disable HTTPS Everywhere on specific sites

@Hainish

This comment has been minimized.

Copy link
Member

Hainish commented Sep 7, 2018

In the future, we may want to have sub-options that are disabled by default, such as:

  • Block all unencrypted connections
    • Allow connections from sites we know only support HTTP

... and then we would allow rulesets to express that certain domains only support HTTP. This may be a contentious suggestion though, and warrants some discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment