Thread replies: 44
Thread images: 2
Thread images: 2
File: https-everywhere-logo_1.png (19KB, 1200x600px) Image search:
[Google]
19KB, 1200x600px
Almost everyone seems to believe that HTTPS Everywhere works by checking if a site is available over HTTPS and switching if it is. But that isn't what HTTPS Everywhere does at all. Instead HTTPS Everywhere only works for sites that are on this whitelist. For the longest time, you could only get on the list through an obscure mailing list (now they've got a git repository).
THE PROBLEM WITH HTTPS EVERYWHERE
Johnny assumes HTTPS Everywhere automatically switches sites to HTTPS when available. So when he hits a login over HTTP he shrugs and says "I guess they don't have HTTPS" and fills in the login anyway.
Johnny realizes that more and more, with HTTPS Everywhere installed he doesn't need to worry about the lock icon in the URL bar. After all, if HTTPS is available HTTPS Everywhere will automatically switch him over, and if it isn't, there is nothing he can do about it anyway.
Johnny isn't aware that HTTPS Everywhere is automatically sending a fingerprint of every HTTPS site he visits to HTTPS Observatory (allowing them to track his browsing if they wanted).
HTTPS Everywhere made a lot of sense in the days of Firesheep when it was created. Now its benefits are very questionable. Are webmasters really going to jump through hoops to make a ruleset for HTTPS Everywhere, when it's probably easier for them to make their site HTTPS default (and use HSTS/HPKP etc) which help everyone (not just users of a specific addon).
Anyway I've got serious concerns about whether HTTPS Everywhere is actually helpful today (especially without a disclaimer explaining what it does). BUT for a privacy focused site, the default behaviour with HTTPS Observatory should be a definite no go.
What are your thoughts?
>>
>>60888152
>But that isn't what HTTPS Everywhere does at all. Instead HTTPS Everywhere only works for sites that are on this whitelist.
No shit.
>>
>>60888188
I guarantee you, 95% of addons' users aren't aware of that.
>>
>>60888195
Then they didn't read the description and it's their own fault. Why should you care about idiots.
>>
>>60888236
It's not about them it's about false sense of security this addon has. While in actual world it does NOTHING for average user. OK it switches to HTTPS on xvideos. Bravo, totally worth installing.
>>
HTTPS Everywhere must be the most overrated plugin out there. If you browse through it's list you will notice that the vast majority of sites are either sites you never visit (or have blocked via other plugins such as uBlock or NoScript) or sites that are already https by default.
It might have been useful a couple of years ago, but after Snowden and Google started pushing everyone into using https it's rather redundant. All you really need in terms of privacy and security is uBlock + NoScript (with all scripts disabled by default).
>>
this is why I use smart https instead
>>
>>60888520
>hasn't been updated for almost a year
>no webext version
nope
>>
>>60888152
>Johnny isn't aware that HTTPS Everywhere is automatically sending a fingerprint of every HTTPS site he visits to HTTPS Observatory (allowing them to track his browsing if they wanted).
not my fault you were too dumb to flick that off in the options
>>
>>60888152
daily reminder that it's every webmaster's duty to 301 redirect from http to https, and ensure that your implementation is at least A-grade on ssltest
>>
>>60888152
You mean HTTPS Everywhere actually lets you go to non-HTTPS sites?
What's even the point then?
>>
>>60888556
what??? https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/
>>
>>60888152
what do you suggest?
>>
>>60888897
not using a placebo
>>
>>60888152
Johnny is a fucking idiot, just like I was. Not anymore. Thanks OP.
>>
HTTPS is a shitshow in general. Tons of people erroneously believe that it's a magical panacea that solves all security problems, and if you use HTTPS you're automatically safe even though that's not how it works.
An insecure site is still an insecure site even when it has HTTPS enabled.
>>
>>60888757
Installed and never looked back. And it's even faster
>>
>>60888152
>HTTPS Everywhere
This is the most retarded meme ever. It doesn't stop the NSA from spying on you.
>>
>>60891135
NSA is a meme
>>
>>60888757
Broken for nvidia.com
>>
>>60891454
nvm it's firefox disabling non-secure parts of the page
>>
johnny is a idiot because he clicked close on the first popup that appears when you install https everywhere
its a gui that says "Do you want to enable SSL observatory"
also you can disable pages that dont have https
johnny is retarded though
>>
File: pancakes.jpg (248KB, 1024x768px) Image search:
[Google]
248KB, 1024x768px
>>60888152
I'm pretty sure only you still didn't know how it worked. I knew it since day one because I actually read the description before installing it.
>>
>>60889428
TLS is not perfect. The whole CA model is a shitshow.
For all the flaws, it's still better than sending cleartext traffic, because it makes it much more difficult and expensive for malicious parties, like governments, to passively intercept traffic.
>>
>>60888152
I did not know this, thanks.
>>
>>60891867
Isn't smart https better because it doesn't use whitelist?
>>
>>60888682
or send Strict-Transport-Security, plain http is deprecated anyway given half the web is viewed from a phone or on shit open wifi so the issue should solve itself
>>
>>60891917
that was not the point of his post at all.
i want summerfags and tech illiterates to leave
>>
>>60891867
Well not necessarily. It depends on where your traffic is going. If it's going to some shitty site that tells you what the latest hot anime is or what the news are, it's completely pointless to encrypt the traffic.
Encryption is only useful when you're either dealing with login information or maybe pirated content.
>>
>>60891731
https everywhere has a option to block the page by default if it doesnt have https
you also observatory isnt enabled by default
>>
>>60888682
A+ rating (certbot) reporting in
>>
>>60891966
>t. /v/tard
what happens when someone MITM that "anime" website?
the reason for https isnt just for encryption its to confirm you are comunicating with the person you think you are
>>
>>60891983
Nothing happens except they read all the data that goes between you and that site. Do you think I don't know what SSL is for?
What the fuck do you think this will do if you're not sending sensitive data to it in the first place?
>>
>>60891944
you're so stupid...
>>
>>60891966
I think it's only better if encryption becomes commonplace. less mass surveillance, better public acknowledgement etc. (gubmint won't be able to pull shit like b&ing encryption when even a normie's grandma understands the importance of encryption)
>>
>>60891999
>Nothing happens
kek. the NSA has to hook itself into the backbone so it can detect SSLHello's and respond to them before the destination server can, which basically completely invalidates MITM if you're not dealing with nation states, but SSL is worthless?
>>
>>60892027
Aw shucks were your fweelings hurt? Get the fuck out, ledditer.
>>
>>60892057
you're so stupid...
>>
>>60892112
>...
pajeet detected
At least learn some lulzy insults and stop abusing ellipses Rajesh. Also I'm doing an EECS degree at Cal. so I'm far from stupid. I'm hacking into your IP right fucking now, you lil underage eternal september faggot.
>>
>>60892184
you're so stupid...
>>
>>60892056
Who the fuck said SSL is worthless beside you? SSL is worthless if you have no data to protect from MITM. The contents of the average site are pointless to MITM, do you realize how hard it is to actually get in a position where you can conduct such an attack? The payoff better be good if you're gonna bother.
>>60892037
Not really, because all the websites and analytics collaborate with the institutions conducting surveillance. Fuck, even I have analytics on people who visit my websites, although mine is in a private database not Google or some other big name aggregator. SSL doesn't protect you from surveillance. It protects you from getting snooped for your passwords and CC numbers through a MITM attack.
That's all it does. It has very negligible effect on surveillance, because that's not what it's for. Surveillance and profiling is done through cross site analytics and tracking courtesy of Google and the likes.
People don't understand the importance of encryption even on /g/, which is to protect your sensitive information from being snooped through MITM while thinking that it protects you from surveillance while you shitpost on rebbit or 4chan. What hope does the grandma have?
>>
>>60888325
its
>>
What does uMatrix "HTTPS only" option do? I got that enabled by default
>>
>>60888152
Just enable "Block all unencrypted requests" and you're good.
Thread posts: 44
Thread images: 2
Thread images: 2