https-everywhere
https-everywhere copied to clipboard
Unable to add user rule for host which always redirects
Type: feature request
Using HTTPS Everywhere 2019.6.27 on Firefox 68.0.2 with "Encrypt All Sites Eligible" set to "ON", if I visit http://lib.montana.edu/ I get the EASE "Open insecure page" warning page. Rather than allowing the insecure page, I would like to add a a user rule which redirects http://lib.montana.edu/ to https://www.lib.montana.edu/ but I am unable to figure out a way to do that.
The "Add a rule for this site" button is not available on the EASE "Open insecure page" warning page (moz-extension://b36537ce-5f50-487d-834a-c0e0f99065be/pages/cancel/index.html
). If I navigate to https://www.lib.montana.edu/ then click the "Add a rule for this site" button, Host is set to www.lib.montana.edu
and is not editable, so the rule will not apply to http://lib.montana.edu/ even if "Matching regex" is changed to match the URL. All http://lib.montana.edu/ URLs redirect to https://www.lib.montana.edu/ so even if I disable EASE to visit the URL, there is no easy way to stay on the site long enough to create a rule. Is there a way for a user to add such a rule? If not, I'd certainly appreciate the feature.
Thanks for considering, Kevin
Alternatively, if EASE could recognize HTTP to HTTPS redirects and offer to add a rule, that would even better for my immediate use case. (Although I recognize the devil is in the details for how to make that work reliably and securely.)
@kevinoid It may be too annoying for user to see a notification suggesting to add custom rule each time.
@pipboy96 I'm not sure I understand, are you saying that an "Add A Rule" button and text describing the rule is below the "Open insecure page" button on the warning page would make the page more annoying? Due to the length, or something else about it?
I mean the suggestion to make a notification on each HTTP to HTTPS redirect.
In that case I may have been unclear, it sounds like we may have something different in mind. I was trying to suggest that on the EASE "Open insecure page" warning page, if the insecure page which would be shown is a redirect to a secure page, that the warning page could offer an option to "Add A Rule" (or "Go to URL") in addition to or instead of "Open insecure page" which adds an exception for a host which might not have any content to display.
@kevinoid This is indeed a good idea. I will try to implement it.
Awesome, thanks @pipboy96!
Alternatively, if EASE could recognize HTTP to HTTPS redirects and offer to add a rule, that would even better for my immediate use case.
Why not first try to open HTTPS version if it fails, open insecure page
warning in EASE mode? It's not hard to put https://
as prefix to URLs.
Why not first try to open HTTPS version if it fails, open
insecure page
warning in EASE mode? It's not hard to puthttps://
as prefix to URLs.
Are you suggesting https-everywhere should follow HTTP->HTTPS redirects in EASE mode without displaying the insecure page
warning or adding a rule?
I agree that would be a more pleasant user experience. Unfortunately, it would have some negative security consequences: If https://a.com links to http://b.com which redirects to https://c.com and https-everywhere doesn't have a rule for b.com, then every time a user clicks the link from https://a.com the request and response to http://b.com could be observed and/or attacked. Adding a rule would prevent that, and accepting the warning without adding a rule would at least make users aware of the danger.
Why not first try to open HTTPS version if it fails, open
insecure page
warning in EASE mode? It's not hard to puthttps://
as prefix to URLs.
Note that, as I understand it, EASE already does try to request a URL over HTTPS before falling back to HTTP. The case in this bug is that when HTTPS is not available and the HTTP response redirects to HTTPS on another domain or subdomain.
Are you suggesting https-everywhere should follow HTTP->HTTPS redirects in EASE mode without displaying the
insecure page
warning or adding a rule?
No, I'm saying that for some websites have HTTPS version but, due to carelessness of system administrator they don't configure server properly to redirect all HTTP to HTTPS requests. And if https-everywhere
automatically try to replace HTTP to HTTPS request so, despite of either users or sys-admins carelessness users will always end up with HTTPS version if it exist otherwise, show users Open secure page
warning.
For example: Website like this http://fsf.org.in do have https version but, it will not automatically redirect to https://fsf.org.in. If you try to open first link (i.e. http://fsf.org.in) in EASE mode an open secure page
is popped-up instead if https-everywhere
automatically replace http
prefix with https
, no matter how server is badly configured we end up with https version of website if it exist and do this recursively for all requests in that page. And if there is an link present whose https
version doesn't exist, drop all request for that link and notify the users that some of the requests have been dropped because https version of requests don't exist. May be we notify this to user by changing color of the extension.
If https://a.com links to http://b.com which redirects to https://c.com and https-everywhere doesn't have a rule for b.com, then every time a user clicks the link from https://a.com the request and response to http://b.com could be observed and/or attacked.
Before, sending request send to server replace http with https for b.com.
In simple word, I'm saying in EASE mode replace all http
prefix with https
before sending request to the server if it fails show Open secure page
warning message rather manually adding the rule for that website.
In simple word, I'm saying in EASE mode replace all
http
prefix withhttps
before sending request to the server if it fails showOpen secure page
warning message rather manually adding the rule for that website.
As I understand it, this is what EASE already does. The reason it doesn't work for http://fsf.org.in is that the certificate for https://fsf.org.in is not valid (it causes SSL_ERROR_BAD_CERT_DOMAIN
due to being only valid for mm.ilug-bom.org.in
) so the EASE "Open insecure page" warning page is shown.
You're right in EASE mode https-everywhere
first tries to make secure connection, if possible. I tried this on http://codeforces.com it automatically redirects me to https://codeforces.com.