🆕 Software Suggestion | smart HTTPS addons is better than HTTPS Everywhere #810

New Issue

jonah · 2019-04-01T06:10:52Z

hasux3 commented

2019-04-01 06:10:52 +00:00

(Migrated from github.com)

hello, HTTPS Everywhere have a database of many site that should be use https but many sites there are not on their database and do not redirect to https automatically! HTTPS Everywhere work for popular site only!

smart HTTPS work for all site and do not have a seperate database, Automatically changes HTTP addresses to the secure HTTPS (for all sites), and if loading encounters error, reverts it back to HTTP.

it is good to remove HTTPS Everywhere from your site and add smart HTTPS

https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/

hello, HTTPS Everywhere have a [database](https://atlas.eff.org/) of many site that should be use https but many sites there are not on their database and do not redirect to https automatically! HTTPS Everywhere work for **popular site only**! smart HTTPS work for all site and do not have a seperate database, Automatically changes HTTP addresses to the secure HTTPS (**for all sites**), and if loading encounters error, reverts it back to HTTP. it is good to remove HTTPS Everywhere from your site and add smart HTTPS https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/

beerisgood commented

2019-04-01 07:34:38 +00:00

(Migrated from github.com)

Are you sure the add-on doesn't break websites?
Also why did you say https everywhere only support popular sites? Source? It only use a database instead of try to open any sites with https like your add-on

Are you sure the add-on doesn't break websites? Also why did you say https everywhere only support popular sites? Source? It only use a database instead of try to open any sites with https like your add-on

hasux3 commented

2019-04-01 07:48:02 +00:00

(Migrated from github.com)

database is correct and i have edit that,
i have try for a month this addons and don't see any problem.
EFF Atlas database is not complete and many site that support https there aren't on it.
it isn't possible to put all website all over the world that support https into a database!

database is correct and i have edit that, i have try for a month this addons and don't see any problem. EFF Atlas database is not complete and many site that support https there aren't on it. it isn't possible to put all website all over the world that support https into a database!

Mikaela commented

2019-04-01 08:59:57 +00:00

(Migrated from github.com)

How does it compare with HTTPZ which has also been requested to replace HTTPS Everywhere in https://github.com/privacytoolsIO/privacytools.io/issues/778?

hasux3 commented

2019-04-01 09:59:00 +00:00

(Migrated from github.com)

HTTPZ force to https only and don't redirect to http if site not support https and user get error. this mean with HTTPZ http site don't load at all !

Mikaela commented

2019-04-01 17:40:42 +00:00

(Migrated from github.com)

They say the opposite:

When you are about to visit a site over HTTP, that request is aborted and a new one is started over HTTPS. If that request results in an error related to HTTPS (not just any kind of error), it is automatically redirected back to HTTP, and all subsequent requests to that host are ignored by the extension for the rest of the session (until Firefox is restarted). Since 0.6.0 this period can be customized.

https://addons.mozilla.org/en-US/firefox/addon/httpz/

They say the opposite: > When you are about to visit a site over HTTP, that request is aborted and a new one is started over HTTPS. If that request results in an error related to HTTPS (not just any kind of error), it is automatically redirected back to HTTP, and all subsequent requests to that host are ignored by the extension for the rest of the session (until Firefox is restarted). Since 0.6.0 this period can be customized. * https://addons.mozilla.org/en-US/firefox/addon/httpz/

atomGit commented

2019-04-01 18:37:39 +00:00

(Migrated from github.com)

HTTPZ force to https only and don't redirect to http if site not support https and user get error. this mean with HTTPZ http site don't load at all !

absolutely not true - it falls back to http if https fails and whitelists the domain for a period of time (configurable)

HTTPZ is by far the simplest of these add-ons, it works with containers, it works with FPI enabled (others don't/may not) and there's nothing that needs to be configured - i also know the developer to be a great guy so there's no worries of any crapware making its way into this ext.

> HTTPZ force to https only and don't redirect to http if site not support https and user get error. this mean with HTTPZ http site don't load at all ! absolutely not true - it falls back to http if https fails and whitelists the domain for a period of time (configurable) [HTTPZ](https://addons.mozilla.org/en-US/firefox/addon/httpz/) is by far the simplest of these add-ons, it works with containers, it works with FPI enabled (others don't/may not) and there's nothing that needs to be configured - i also know the developer to be a great guy so there's no worries of any crapware making its way into this ext.

👍 1 😕 1

privacytoolsIO commented

2019-04-01 22:55:04 +00:00

(Migrated from github.com)

"Like the issues with STARTTLS (vs "Implicit TLS"), a downgrade attack could be executed against browsers using Smart HTTPS to prevent them from upgrading to HTTPS; probably when it would be needed most." Source

"Like the issues with STARTTLS (vs "Implicit TLS"), a downgrade attack could be executed against browsers using Smart HTTPS to prevent them from upgrading to HTTPS; probably when it would be needed most." [Source](https://social.privacytools.io/@BurungHantu/101850377682331530)

👍 1

atomGit commented

2019-04-01 23:43:41 +00:00

(Migrated from github.com)

though i recommend HTTPZ, it too has a caveat that those considering it for inclusion in privacytools.io may want to consider...

Unlike HTTPS Everywhere, this extension doesn't take care of sub-requests triggered from HTTP-only sites. For now, it outright ignores those requests, because using the same approach with those (retrying on error) is very complicated and has significant drawbacks.

i don't know how other add-ons deal with 3rd party requests from http sites

though i recommend HTTPZ, it too has a caveat that those considering it for inclusion in privacytools.io may want to consider... > Unlike HTTPS Everywhere, this extension doesn't take care of sub-requests triggered from HTTP-only sites. For now, it outright ignores those requests, because using the same approach with those (retrying on error) is very complicated and has significant drawbacks. i don't know how other add-ons deal with 3rd party requests from http sites

jonah commented

2019-04-02 00:51:59 +00:00

Like @BurungHantu1605 said, the possibility for downgrade attacks makes this and HTTPZ (#778) both non-recommendable IMO. It's unfortunate HTTPS Everywhere has to rely on whitelists but it's the more secure option.

👍 2

This repo is archived. You cannot comment on issues.