Opened 7 years ago

Closed 7 years ago

#6485 closed defect (wontfix)

Default rules to off (or partial marked) for less than 100% https sites

Reported by: grarpamp Owned by: pde
Priority: High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Assuming a goal of HTTPS-E is to avoid exposing the general user to much risk, let us not enable by default rulesets which do not offer 100% encryption coverage of a site experience.

A happy pretty green checkmark by a ruleset seems to imply that...

  • authentication login tokens are safe
  • session info (cookie, SID, etc) is safe
  • content is safe

Yet some rulesets are happy green pretty when no such guarantee is provided by said rules. Not to mention exposing fallback can occur when rule breaks since there is currently no 'do not fallback' option.

So default them off, or deploy another indicator for them.

Child Tickets

Change History (1)

comment:1 Changed 7 years ago by pde

Resolution: wontfix
Status: newclosed

The browser UI should indicate the difference between full HTTPS and mixed content. Chrome still does this clearly, but Firefox has unfortunately moved in the wrong direction. If you want to file a bugzilla bug calling for clearer HTTPS UI, please send the bug ID and we'll happily weigh in there :).

In the mean time, I'm going to mark this WONTFIX. Partial HTTPS can offer useful defenses against passive surveillance adversaries, so we want to keep it there. Also, _some_ of the partial rulesets with <securecookie> tags offer genuine and significant protection even against active adversaries (though it depends on what type of content is loaded via HTTP, of course).

Note: See TracTickets for help on using tickets.