[tor-bugs] #6486 [EFF-HTTPS Everywhere]: Need non-fallback to http option

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jan 3 05:50:17 UTC 2013 

#6486: Need non-fallback to http option
-------------------------------------+--------------------------------------
    Reporter:  grarpamp              |       Owner:  pde     
        Type:  defect                |      Status:  reopened
    Priority:  minor                 |   Milestone:          
   Component:  EFF-HTTPS Everywhere  |     Version:          
  Resolution:                        |    Keywords:          
      Parent:                        |      Points:          
Actualpoints:                        |  
-------------------------------------+--------------------------------------
Changes (by pde):

  * priority:  normal => minor


Comment:

 Replying to [comment:4 grarpamp]:

 > Again, if browser is fed an http uri, https-e remaps it to https and
 sends it to server, and then if the https server returns protocol error,
 or plain doesn't respond, I don't want https-e hiding that server message
 or browser timeout from me (and possibly also falling back).

 It shouldn't do either of these things.  Do you have an example?

 > And if the server protocol 302's it back to http, I don't want https-e
 taking that 302 to http directive, remapping it again to https, sending it
 again, looping around with that for a while till finally giving up and
 using the server's 302 to http, and staying http thereafter.

 HTTPS Everywhere ''does'' do this.  If the site won't keep your data
 secure, the site won't keep your data secure, and HTTPS isn't going to
 help.  Our default philosophy is to maximize security without breaking
 websites.

 >
 > So an option to disable the fallback after loop detected, aka: don't use
 http ever.
 > And an option to just quit that uri on error or timeout, aka: show me.

 Want to write the patch?  It should be an about:config setting, rather
 than anything in the UI, and the place you want to patch is
 [https://gitweb.torproject.org/https-
 everywhere.git/blob/3.0:/src/chrome/content/code/HTTPS.js#l45 here]
 (excuse the whacky newlines, they're from the NoScript source).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6486#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list