[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Migrate from HTTPS-Everywhere to Icecat's own HTTPS-Only Mod
|
From: |
Clément Lassieur |
|
Subject: |
Re: [PATCH] Migrate from HTTPS-Everywhere to Icecat's own HTTPS-Only Mode. |
|
Date: |
Sat, 30 Dec 2023 14:12:44 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Hi Mark,
On Sat, Dec 30 2023, Mark H Weaver wrote:
> Hello Clément,
>
> Thanks for the proposed patch. Sorry for the delayed response, but
> please note that I am just one of four IceCat maintainers, and that we
> are all volunteers.
No problem, thanks for the replies!
>> See https://www.eff.org/https-everywhere.
>
> I'm aware that support for HTTPS Everywhere has been discontinued, and
> that upstream recommends that we enable HTTPS-only mode in its place.
> This does not necessarily imply that we should follow their suggestion.
>
> I feel somewhat uncomfortable disabling HTTP support in IceCat by
> default. My preferred approach is the one implemented in HTTPS
> Everywhere, namely to allow HTTP but to automatically redirect to HTTPS
> for URLs where it is known to work.
As I said in my other email, enabling HTTPS-only doesn't disable HTTP
support. If a site doesn't support HTTPS, a page with a warning
appears, and a user can choose to manually click on "Continue to HTTP
Site". This will temporarily turn off HTTPS-only mode, only for that
site.
> HTTPS Everywhere is free software, and we are therefore free to continue
> using it for as long as we wish. I haven't looked carefully, but I
> would not expect an extension like HTTPS Everywhere to be a security
> issue. This is a very simple extension, presumably written with
> security in mind by competent engineers, and which performs no
> nontrivial analysis of untrusted input.
To me, any code that deals with security and that is not maintained
anymore is a security issue.
Plus the fact that HTTPS-Everywhere is essentially an out-of-date
whitelist, which contradicts the "Everywhere" in the name that misleads
users.
> The only downside I see to its age is that the included domain lists are
> not fresh, and therefore we may miss some opportunities to automatically
> redirect to HTTPS. I'm not troubled by this. We can update the domain
> lists ourselves if important omissions come to our attention.
I don't think we can update the list ourselves (it's a huge work). But
let's not debate this because we don't have to, thanks to HTTPS-only
that works on all sites.
> Anyway, when HTTP is used, IceCat displays a prominent warning on the
> left side of the address bar that says "Not Secure".
>
> Having said all of this, I do not have a strong opinion on this. If
> anyone can provide compelling arguments either way, I'd like to hear
> them.
>
> One final note: your proposed patch has an important technical flaw.
> The change to the default setting of "browser.uiCustomization.state" in
> settings.js erroneously removes a closing bracket, leaving the brackets
> unbalanced. The default setting of "browser.uiCustomization.state" is
> very important, because otherwise new IceCat users will see broken web
> pages without any discoverable UI indicating what the problems or how to
> address them.
Indeed, my bad. I must have not paid attention to this when I tested
the patch.
> Anyway, thanks again for the proposal, and also for your work on the
> Guix side.
And thanks for yours!
Clément