Opened 9 years ago

Closed 8 years ago

#2413 closed enhancement (fixed)

HTTPS Everywhere for Chrome

Reported by: aaronsw Owned by: pde
Priority: Low Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: mikeperry, pde Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I understand that Chrome doesn't yet have the necessary API to make this completely secure (in particular, bug 50943 means that you can't stop the first request to an insecure page) but there's much else to be done:

  • Set up the repository so the rulesets can be read by Firefox and Chrome extension code
  • After loading an insecure page immediately redirect to the secure version so that relative links and future requests are done securely

I understand that this doesn't provide the full security benefits of Firefox HTTPS Everywhere, but I think it would a) provide a clear improvement in security to those who understand the risks, b) make it easy to provide the full security benefits as soon as the necessary APIs have landed. It may also increase the pressure to finish those APIs.

Child Tickets

Change History (4)

comment:1 Changed 9 years ago by aaronsw

Another feature could be to ensure all cookies are SSL-only where possible (I assume there's API support for that). This combined with the quick redirect could protect against wo0dh3ad-style attacks. Any time you followed a non-SSL link no cookies would be sent and any time you saw a form it'd have to be on an SSL page, since you'd be redirected.

Also, I presume if this is developed much of the code and infrastructure can be reused for a Safari version.

comment:2 Changed 9 years ago by pde

Priority: normalminor
Status: newaccepted

Someone tried to port HTTPS Everywhere to Safari. Of course the result was highly insecure. But since they're both webkit there may be some code that does some of the things you mention?

http://www.nearinfinity.com/blogs/jeff_kunkle/lessons_learned_building_an_ht.html

However, I don't think we want to do any prep-work for a hypothetical Chrome extension until we know what kind of API Chrome is going to offer for request rewriting. In particular, it's possible that Chrome will natively support some alternative form of HTTPS Everywhere ruleset:

https://mail1.eff.org/pipermail/https-everywhere/2010-November/000545.html

comment:3 Changed 9 years ago by aaronsw

agl has confirmed that this isn't going to happen and that they're going to go ahead with the extension.

comment:4 Changed 8 years ago by pde

Resolution: fixed
Status: acceptedclosed

Since we're in alpha and I feel like closing a bug, I'm going to close this one :)

Note: See TracTickets for help on using tickets.