https-everywhere icon indicating copy to clipboard operation
https-everywhere copied to clipboard

Published 20 hours ago verified publisher icon EFForg

Unable to add user rule for host which always redirects

Open kevinoid opened this issue 4 years ago • 13 comments

Type: feature request

Using HTTPS Everywhere 2019.6.27 on Firefox 68.0.2 with "Encrypt All Sites Eligible" set to "ON", if I visit http://lib.montana.edu/ I get the EASE "Open insecure page" warning page. Rather than allowing the insecure page, I would like to add a a user rule which redirects http://lib.montana.edu/ to https://www.lib.montana.edu/ but I am unable to figure out a way to do that.

The "Add a rule for this site" button is not available on the EASE "Open insecure page" warning page (moz-extension://b36537ce-5f50-487d-834a-c0e0f99065be/pages/cancel/index.html). If I navigate to https://www.lib.montana.edu/ then click the "Add a rule for this site" button, Host is set to www.lib.montana.edu and is not editable, so the rule will not apply to http://lib.montana.edu/ even if "Matching regex" is changed to match the URL. All http://lib.montana.edu/ URLs redirect to https://www.lib.montana.edu/ so even if I disable EASE to visit the URL, there is no easy way to stay on the site long enough to create a rule. Is there a way for a user to add such a rule? If not, I'd certainly appreciate the feature.

Thanks for considering, Kevin

kevinoid avatar Sep 04 '19 21:09 kevinoid

Alternatively, if EASE could recognize HTTP to HTTPS redirects and offer to add a rule, that would even better for my immediate use case. (Although I recognize the devil is in the details for how to make that work reliably and securely.)

kevinoid avatar Sep 04 '19 21:09 kevinoid

@kevinoid It may be too annoying for user to see a notification suggesting to add custom rule each time.

pipboy96 avatar Sep 05 '19 03:09 pipboy96

@pipboy96 I'm not sure I understand, are you saying that an "Add A Rule" button and text describing the rule is below the "Open insecure page" button on the warning page would make the page more annoying? Due to the length, or something else about it?

kevinoid avatar Sep 05 '19 03:09 kevinoid

I mean the suggestion to make a notification on each HTTP to HTTPS redirect.

pipboy96 avatar Sep 05 '19 03:09 pipboy96

In that case I may have been unclear, it sounds like we may have something different in mind. I was trying to suggest that on the EASE "Open insecure page" warning page, if the insecure page which would be shown is a redirect to a secure page, that the warning page could offer an option to "Add A Rule" (or "Go to URL") in addition to or instead of "Open insecure page" which adds an exception for a host which might not have any content to display.

kevinoid avatar Sep 05 '19 03:09 kevinoid

@kevinoid This is indeed a good idea. I will try to implement it.

pipboy96 avatar Sep 05 '19 03:09 pipboy96

Awesome, thanks @pipboy96!

kevinoid avatar Sep 05 '19 03:09 kevinoid

Alternatively, if EASE could recognize HTTP to HTTPS redirects and offer to add a rule, that would even better for my immediate use case.

Why not first try to open HTTPS version if it fails, open insecure page warning in EASE mode? It's not hard to put https:// as prefix to URLs.

etanot avatar Sep 18 '19 11:09 etanot

Why not first try to open HTTPS version if it fails, open insecure page warning in EASE mode? It's not hard to put https:// as prefix to URLs.

Are you suggesting https-everywhere should follow HTTP->HTTPS redirects in EASE mode without displaying the insecure page warning or adding a rule?

I agree that would be a more pleasant user experience. Unfortunately, it would have some negative security consequences: If https://a.com links to http://b.com which redirects to https://c.com and https-everywhere doesn't have a rule for b.com, then every time a user clicks the link from https://a.com the request and response to http://b.com could be observed and/or attacked. Adding a rule would prevent that, and accepting the warning without adding a rule would at least make users aware of the danger.

kevinoid avatar Sep 18 '19 12:09 kevinoid

Why not first try to open HTTPS version if it fails, open insecure page warning in EASE mode? It's not hard to put https:// as prefix to URLs.

Note that, as I understand it, EASE already does try to request a URL over HTTPS before falling back to HTTP. The case in this bug is that when HTTPS is not available and the HTTP response redirects to HTTPS on another domain or subdomain.

kevinoid avatar Sep 18 '19 13:09 kevinoid

Are you suggesting https-everywhere should follow HTTP->HTTPS redirects in EASE mode without displaying the insecure page warning or adding a rule?

No, I'm saying that for some websites have HTTPS version but, due to carelessness of system administrator they don't configure server properly to redirect all HTTP to HTTPS requests. And if https-everywhere automatically try to replace HTTP to HTTPS request so, despite of either users or sys-admins carelessness users will always end up with HTTPS version if it exist otherwise, show users Open secure page warning.

For example: Website like this http://fsf.org.in do have https version but, it will not automatically redirect to https://fsf.org.in. If you try to open first link (i.e. http://fsf.org.in) in EASE mode an open secure page is popped-up instead if https-everywhere automatically replace http prefix with https, no matter how server is badly configured we end up with https version of website if it exist and do this recursively for all requests in that page. And if there is an link present whose https version doesn't exist, drop all request for that link and notify the users that some of the requests have been dropped because https version of requests don't exist. May be we notify this to user by changing color of the extension.

If https://a.com links to http://b.com which redirects to https://c.com and https-everywhere doesn't have a rule for b.com, then every time a user clicks the link from https://a.com the request and response to http://b.com could be observed and/or attacked.

Before, sending request send to server replace http with https for b.com.

In simple word, I'm saying in EASE mode replace all http prefix with https before sending request to the server if it fails show Open secure page warning message rather manually adding the rule for that website.

etanot avatar Sep 18 '19 15:09 etanot

In simple word, I'm saying in EASE mode replace all http prefix with https before sending request to the server if it fails show Open secure page warning message rather manually adding the rule for that website.

As I understand it, this is what EASE already does. The reason it doesn't work for http://fsf.org.in is that the certificate for https://fsf.org.in is not valid (it causes SSL_ERROR_BAD_CERT_DOMAIN due to being only valid for mm.ilug-bom.org.in) so the EASE "Open insecure page" warning page is shown.

kevinoid avatar Sep 18 '19 17:09 kevinoid

You're right in EASE mode https-everywhere first tries to make secure connection, if possible. I tried this on http://codeforces.com it automatically redirects me to https://codeforces.com.

etanot avatar Sep 19 '19 02:09 etanot