[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Migrate from HTTPS-Everywhere to Icecat's own HTTPS-Only Mod

From: Clément Lassieur
Subject: Re: [PATCH] Migrate from HTTPS-Everywhere to Icecat's own HTTPS-Only Mode.
Date: Sat, 30 Dec 2023 14:12:44 +0100
User-agent: Gnus/5.13 (Gnus v5.13)

Hi Mark,

On Sat, Dec 30 2023, Mark H Weaver wrote:

> Hello Clément,
> Thanks for the proposed patch.  Sorry for the delayed response, but
> please note that I am just one of four IceCat maintainers, and that we
> are all volunteers.

No problem, thanks for the replies!

>> See
> I'm aware that support for HTTPS Everywhere has been discontinued, and
> that upstream recommends that we enable HTTPS-only mode in its place.
> This does not necessarily imply that we should follow their suggestion.
> I feel somewhat uncomfortable disabling HTTP support in IceCat by
> default.  My preferred approach is the one implemented in HTTPS
> Everywhere, namely to allow HTTP but to automatically redirect to HTTPS
> for URLs where it is known to work.

As I said in my other email, enabling HTTPS-only doesn't disable HTTP
support.  If a site doesn't support HTTPS, a page with a warning
appears, and a user can choose to manually click on "Continue to HTTP
Site".  This will temporarily turn off HTTPS-only mode, only for that

> HTTPS Everywhere is free software, and we are therefore free to continue
> using it for as long as we wish.  I haven't looked carefully, but I
> would not expect an extension like HTTPS Everywhere to be a security
> issue.  This is a very simple extension, presumably written with
> security in mind by competent engineers, and which performs no
> nontrivial analysis of untrusted input.

To me, any code that deals with security and that is not maintained
anymore is a security issue.

Plus the fact that HTTPS-Everywhere is essentially an out-of-date
whitelist, which contradicts the "Everywhere" in the name that misleads

> The only downside I see to its age is that the included domain lists are
> not fresh, and therefore we may miss some opportunities to automatically
> redirect to HTTPS.  I'm not troubled by this.  We can update the domain
> lists ourselves if important omissions come to our attention.

I don't think we can update the list ourselves (it's a huge work).  But
let's not debate this because we don't have to, thanks to HTTPS-only
that works on all sites.

> Anyway, when HTTP is used, IceCat displays a prominent warning on the
> left side of the address bar that says "Not Secure".
> Having said all of this, I do not have a strong opinion on this.  If
> anyone can provide compelling arguments either way, I'd like to hear
> them.
> One final note: your proposed patch has an important technical flaw.
> The change to the default setting of "browser.uiCustomization.state" in
> settings.js erroneously removes a closing bracket, leaving the brackets
> unbalanced.  The default setting of "browser.uiCustomization.state" is
> very important, because otherwise new IceCat users will see broken web
> pages without any discoverable UI indicating what the problems or how to
> address them.

Indeed, my bad.  I must have not paid attention to this when I tested
the patch.

> Anyway, thanks again for the proposal, and also for your work on the
> Guix side.

And thanks for yours!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]