[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Migrate from HTTPS-Everywhere to Icecat's own HTTPS-Only Mod
|
From: |
Mark H Weaver |
|
Subject: |
Re: [PATCH] Migrate from HTTPS-Everywhere to Icecat's own HTTPS-Only Mode. |
|
Date: |
Sat, 30 Dec 2023 07:15:31 -0500 |
Hello Clément,
Thanks for the proposed patch. Sorry for the delayed response, but
please note that I am just one of four IceCat maintainers, and that we
are all volunteers.
> See https://www.eff.org/https-everywhere.
I'm aware that support for HTTPS Everywhere has been discontinued, and
that upstream recommends that we enable HTTPS-only mode in its place.
This does not necessarily imply that we should follow their suggestion.
I feel somewhat uncomfortable disabling HTTP support in IceCat by
default. My preferred approach is the one implemented in HTTPS
Everywhere, namely to allow HTTP but to automatically redirect to HTTPS
for URLs where it is known to work.
HTTPS Everywhere is free software, and we are therefore free to continue
using it for as long as we wish. I haven't looked carefully, but I
would not expect an extension like HTTPS Everywhere to be a security
issue. This is a very simple extension, presumably written with
security in mind by competent engineers, and which performs no
nontrivial analysis of untrusted input.
The only downside I see to its age is that the included domain lists are
not fresh, and therefore we may miss some opportunities to automatically
redirect to HTTPS. I'm not troubled by this. We can update the domain
lists ourselves if important omissions come to our attention.
Anyway, when HTTP is used, IceCat displays a prominent warning on the
left side of the address bar that says "Not Secure".
Having said all of this, I do not have a strong opinion on this. If
anyone can provide compelling arguments either way, I'd like to hear
them.
One final note: your proposed patch has an important technical flaw.
The change to the default setting of "browser.uiCustomization.state" in
settings.js erroneously removes a closing bracket, leaving the brackets
unbalanced. The default setting of "browser.uiCustomization.state" is
very important, because otherwise new IceCat users will see broken web
pages without any discoverable UI indicating what the problems or how to
address them.
Anyway, thanks again for the proposal, and also for your work on the
Guix side.
Regards,
Mark
- Re: [PATCH] Migrate from HTTPS-Everywhere to Icecat's own HTTPS-Only Mode.,
Mark H Weaver <=