Firefox Extension HTTPS Everywhere Does What It Sounds Like

climenole writes "HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS."

noscript?

[Cmdr-Absurd]

noscript has a means of doing this on a per-site basis. Wildcards are accepted.

Re:noscript?

[Dishevel]

Would someone tell me how this happened? We were the fucking vanguard of websites in this country. Slashdot was the website to comment on. Then the other guy came out with https. Were we scared? Hell, no. Because we hit back with a little thing called httpss. That's got double t's and double s's. For security. But you know what happened next? Shut up, I'm telling you what happened—the bastards went to four s's. Now we're standing around with our cocks in our hands, selling tdouble t's and double s's. Securitye or no, suddenly we're the chumps. Well, fuck it. We're going to five s's. Sure, we could go to four s's next, like the competition. That seems like the logical thing to do. After all, three worked out pretty well, and four is the next number after three. So let's play it safe. Let's make a thicker algorithm and call it the slashdot htppssss. Why innovate when we can follow? Oh, I know why: Because we're a business, that's why! You think it's crazy? It is crazy. But I don't give a shit. From now on, we're the ones who have the edge in the multi-s's game. Are they the best a man can get? Fuck, no. Slashdot is the best a man can get. What part of this don't you understand? If two s's is good, and three s's is better, obviously five s's would make us the best fucking website that ever existed. Comprende? We didn't claw our way to the top of the website game by clinging to the two-s's industry standard. We got here by taking chances. Well, five s's is the biggest chance of all. Here's the report from Engineering. Someone put it in the bathroom: I want to wipe my ass with it. They don't tell me what to invent—I tell them. And I'm telling them to stick two more s's in there. I don't care how. Make the s's so thin they're invisible. Put some after the /. I don't care if they have to cram the fifth s in perpendicular to the other four, just do it! You're taking the "safety" part of "safety website" too literally, grandma. Cut the strings and soar. Let's hit it. Let's roll. This is our chance to make website history. Let's dream big. All you have to do is say that five s's can happen, and it will happen. If you aren't on board, then fuck you. And if you're on the board, then fuck you and your father. Hey, if I'm the only one who'll take risks, I'm sure as hell happy to hog all the glory when the five-s website becomes the shaving tool for the U.S. of "this is how we shave now" A. People said we couldn't go to three. It'll cost a fortune to manufacture, they said. Well, we did it. Now some egghead in a lab is screaming "Five's crazy?" Well, perhaps he'd be more comfortable in the labs at Norelco, working on fucking electrics. Rotary s's, my white ass! Maybe I'm wrong. Maybe we should just ride in facebook's wake and make social networking sites. Ha! Not on your fucking life! The day I shadow a penny-ante outfit like Facebook is the day I leave the website game for good, and that won't happen until the day I die! The market? Listen, we make the market. All we have to do is put her out there with a little jingle. It's as easy as, "Hey, commenting with anything less than five s's is like scraping your beard off with a dull hatchet." Or "You'll be so smooth, I could snort lines off of your chin." Try "Your neck is going to be so friggin' soft, someone's gonna walk up and tie a goddamn Cub Scout kerchief under it." I know what you're thinking now: What'll people say? Mew mew mew. Oh, no, what will people say?! Grow the fuck up. When you're on top, people talk. That's the price you pay for being on top. Which Slashdot is, always has been, and forever shall be, Amen, five s's, sweet Jesus in heaven. Stop. I just had a stroke of genius. Are you ready? Open your mouth, baby birds, cause Mama's about to drop you one sweet, fat nightcrawler. Here she comes: Put another PGP key on that fucker, too. That's right. Five s's, two security algoritims, and make the second one PGP. You heard me—the second bit of security is PGP. It's a whole new way to think about commenting. Don't question it. Don't say a word. Just key the music, and call the chorus girls, because we're on the edge—the website's edge—and I feel like dancing.

Re:noscript?

[Beardo+the+Bearded]

I got the Onion reference. This would have been an Epic FP.

Re:noscript?

[Peach+Rings]

No, noscript can't do this. Noscript just changes http to https. If you want more complex rewriting like

http://en.wikipedia.org/wiki/Main_Page
to
https://secure.wikimedia.org/wikipedia/en/wiki/Main_Page
then you need something like this extension.

Of course, it's useless in the case of wikipedia, because no images at all are available from the secure server. The extension will let images through unencrypted, so it's very easy to tell what page you're looking at. You can just go to the image pages and scroll down to "what links here," and the page that appears in every list is the page that the person is looking at.

You can block unsecure content with noscript but articles are unusable without the helpful diagrams and pictures.

NoScript has done this for years

[Coopjust]

http://noscript.net/features#options

Preferences for enhancing HTTPS behavior and cookies:
Force the following sites to use secure (HTTPS) connections - a space-separated list of site patterns

Then again, if you don't trust the NoSript author after the controversy, this might be a good alternative. I figure NoScript is under more scrutiny than any other extension and the author learned his lesson.

Default to HTTP?

[SpazmodeusG]

Geez. What kind of poorly written site would do something like quietly defaulting to unencrypted HTTP on a HTTPS request.

https://www.slashdot.org/

Re:Default to HTTP?

So I guess you'd be ok with just telling me your login and password, rather than making me go through the effort to sniff them, right?

I eagerly await your response.

Re:Default to HTTP?

[icebraining]

If anyone wants to protect his/her login data, why don't they use OpenID and a secure provider?

Re:Default to HTTP?

[Burz]

O RLY?

Try using Slashdot (or most other sites) all day in an airport or at a cafe with your laptop, then see how long it takes for someone to start F-ing around with the Javascript that your browser is receiving in the clear. And then there are those lovely residential ISPs that screw with your web pages for not very different reasons.

The EFF wants to see the web prepared for an assault that looks likely to intensify.

BTW, there is such a thing as being too cheap.

Re:Default to HTTP?

[profplump]

It's only the optimal solution for you. If the client choose HTTPS and you change back to HTTP then *you're* deciding that their content shouldn't be encrypted, even if they think it should be. You can choose not to offer HTTPS if you think the burden is too high on your end, but you're lying to yourself by calling it the "optimal" solution for both sides.

You might not care that your web browsing is encrypted. But I might be on a monitored network and don't want my overlords to know that I downloaded a cheesecake recipe because it would ruin their surprise birthday party. That or any of 1,000 other scenarios might lead me to desire encrypted communications even for information that you don't consider worthy of encryption.

Frankly I think *all* communications should be routinely encrypted just to discourage eavesdropping. Plus if encryption became the status quo your browser could offer sane warning messages about unencrypted transfers, rather than putting up no warning for unencrypted transfers and then freaking out when you have an encrypted but unauthenticated transfer.

Re:Default to HTTP?

[e2d2]

You're shit out of luck because _we_ pay the bills here and _we_ build the websites so yes it's not being out of line to think that we should control how it's delivered. Take your entitlement to someplace that honors that currency. I'm a hacker too, but this whole "I want everything in the world my way" shit is getting old. Live with it, or don't. But it's not an "issue" in any way as far as I'm concerned. Don't like it? Go elsewhere.

Link?

For those of you without google ... http://www.eff.org/https-everywhere

Re:Link?

Shouldn't that be https://www.eff.org/https-everywhere ?

Re:Link?

[Meneth]

EFF says:

In an ideal world, every web request could be defaulted to HTTPS

I say:
In an ideal world, you wouldn't NEED to use HTTPS.

Re:Link?

[Sir_Lewk]

There are realistic ideal worlds, and there are unrealistic ideal worlds.

Much needed extension

[Jojoba86]

Oh wow, this is awesome. I've used greasemonkey scripts with facebook but it's pretty ugly, seems to load the http page before the https page. This sounds perfect. Here's the link https://www.eff.org/files/https-everywhere-latest.xpi which is missing from TFS.

Re:Much needed extension

[Fnkmaster]

Hmm... if you are trying to encrypt your communications with *Facebook* something tells me you are worrying about the wrong people getting their hands on your personal data.

Does what it sounds like...

[Nick+Fel]

...except not "everywhere", just major sites.

Re:Does what it sounds like...

[Tim+C]

It can't be *everywhere* as not every site provides HTTPS access. You could go through a proxy, but that would only encrypt traffic between you and the proxy (and would of course introduce a potential bottleneck if it was a general-use proxy)

I can't understand...

[gouttonio]

... how does this work without risk of compromising the data at the end of the tor route if the webserver won't accept https. I'll be waiting for SPEEDY which looks like a cleaner way of encrypting everything.

Does What It Sounds Like?

[Culture20]

It can't work unless these sites already have an https version. If they redirect all 443 traffic to 80 like /., then it does nothing. It might work for facebook since it has a couple pages that allow https, but I'm sure things like their photo servers are probably http only.

Link

[muffen]

Maybe a link to the addon would be useful in the story?

Re:Link

[Nixoloco]

Another extension that some might find useful is SSLPasswdWarning. It evaluates password input fields and pops up a warning whenever they post via non HTTPS.

Cipher CPU use, caching, and Google Custom Search

[tepples]

What kind of poorly written site would do something like quietly defaulting to unencrypted HTTP on a HTTPS request.

Once the user has logged in, there are three reasons to switch back to HTTPS for any page that doesn't take credit cards or the like:

• The ciphers in HTTPS take a not insignificant amount of CPU time. Not all web applications are database- or network-bound.
• HTTPS isn't cacheable by intermediate transparent proxies, such as those used by dial-up or satellite Internet providers.
• Google has not released a version of the Google Custom Search box that works on HTTPS sites. The last time I tried it, IE would show the mixed-content alert: "Do you want to display only the webpage content that was delivered securely?" I had to add a workaround to a shopping site that disables Google Custom Search when the user is browsing in HTTPS mode.

firefox doesn't really make it easy for the users

[roman_mir]

Firefox itself does not really make it easy for the users or for admins to use https everywhere.

I just made a small site, it's for a business, that runs everything through https, I redirect http to https completely. Firefox 3.6.3 on Windows had no problem running the site. IE on windows couldn't open the encrypted pages, Firefox 3.5 on any GNU/Linux distro couldn't open them either, to fix this, I had to add this to /etc/conf.d/ssl.conf : SSLInsecureRenegotiation on

That fixed the IE and FF3.5 on Linux problem.

Here is the description of this flag from apache mod_ssl directive description page:

SSLInsecureRenegotiation Directive
Description: Option to enable support for insecure renegotiation
Syntax: SSLInsecureRenegotiation flag
Default: SSLInsecureRenegotiation off
Context: server config, virtual host
Status: Extension
Module: mod_ssl
Compatibility: Available in httpd 2.2.15 and later, if using OpenSSL 0.9.8m or later

As originally specified, all versions of the SSL and TLS protocols (up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle attack (CVE-2009-3555) during a renegotiation. This vulnerability allowed an attacker to "prefix" a chosen plaintext to the HTTP request as seen by the web server. A protocol extension was developed which fixed this vulnerability if supported by both client and server.

If mod_ssl is linked against OpenSSL version 0.9.8m or later, by default renegotiation is only supported with clients supporting the new protocol extension. If this directive is enabled, renegotiation will be allowed with old (unpatched) clients, albeit insecurely.
Security warning

If this directive is enabled, SSL connections will be vulnerable to the Man-in-the-Middle prefix attack as described in CVE-2009-3555.
Example

SSLInsecureRenegotiation on

The SSL_SECURE_RENEG environment variable can be used from an SSI or CGI script to determine whether secure renegotiation is supported for a given SSL connection.

I wonder if there are other ways of making this work with my other directives:

SSLEngine on
SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5

SSLVerifyClient none - I am thinking about switching it to 'require' right now, but will have to test all browsers with it again, but have to do it I think.

Oh, and getting it all to run together with apache httpd with mod_ssl + mod_jk + apache tomcat is quite a hassle.

But most unfortunate thing about FF is how it treats the self-signed certificates. It shows it as an SSL ERROR, to which exceptions must be made for the user to be able to enter the site. Can FF developers think about this fact for like longer than a second? It is not an error to run a site with a self-signed certificate, it is a configuration choice and it provides an important role to the site: encrypted traffic for login and for the data transferred to and from the client.

Why is FF showing this to the users as an error? This is not an error, this is by design and it is a special case of usage. Who is not frustrated by the browser treating self signed certificates as if they are some sort of a disease? They provide an important role - a way to secure communications between the server and the browser.

Can this be looked at, because I am SURE this prevents various sites from using encrypted traffic in the first place and it is a BAD thing, not a good one. All traffic needs to be encrypted, but especially user name/password traffic shouldn't be sent around in plain text.

Name it what it is: an exceptional case of using security to encrypt traffic, a case where the site may not necessarily be what it wants to be seen as, but at least the traffic is actually encrypted. It's terrible if someone comes to your site just to see: SSL ERROR on it, OF-COURSE admins don't want THAT message to be shown on their sites, why do you think so few sites do security properly?

forcing views of the hompage

[SuperBanana]

I don't care about ads on his site.

I care about being forced to update NoScript every few days, each time being forced to load his site. I've got another extension, a Flash downloader that does the same thing. They're both either the world's worst programmers, or they're intentionally releasing updates just to drive traffic to their homepages.

It's also incredibly irritating to get interrupted almost every time I go to restart Firefox!

Re:forcing views of the hompage

From the FAQ [http://noscript.net/faq]:

2.5
Q: I don't like NoScript redirecting the browser on its release notes page every time I upgrade it. Is there any way to prevent this?
A: First time you install NoScript and every time you upgrade it to a newer major version, Firefox opens an additional tab containing the NoScript welcome page, where you can read the release notes, the latest announcements and an introduction to the most important NoScript features (plus a link to this very FAQ...)
If you feel you don't need such heads up, you can disable this feature by clicking the NoScript icon, selecting Options and unchecking "Display the release notes on update" in the "Notifications" tab.
Notice that if the above "fix" doesn't work or, worse, you keep being redirected on the welcome page every time you restart Firefox, chances are there's something (like a buggy extension) preventing your preferences from being saved: you may need to follow this advice, then.

Re:forcing views of the hompage

[Coopjust]

http://noscript.net/faq#qa2_5

Q: I don't like NoScript redirecting the browser on its release notes page every time I upgrade it. Is there any way to prevent this?
If you feel you don't need such heads up, you can disable this feature by clicking the NoScript icon, selecting Options and unchecking "Display the release notes on update" in the "Notifications" tab.

He's intentionally driving traffic to his page, but you can disable it easily (it used to require about:config, but it was a boolean that was fairly easy to find).

Re:forcing views of the hompage

[rlk]

AdBlock Plus and NoScript are doing different things -- ABP is basically a filter engine, and the rules are the only thing that (normally) needs to be updated. NoScript is blocking things based on various algorithms, so it's procedural rather than data-driven. It's not surprising that NoScript's engine needs to be updated more often than ABP's.

Re:forcing views of the hompage

[j.sanchez1]

about:config
set noscript.firstRunRedirection to false

Re:forcing views of the hompage

[Peach+Rings]

So you'd rather have extensions updating themselves through their own downloader code than have them just use the Firefox update framework?

Re:forcing views of the hompage

[clone53421]

Of course I would. The Firefox update process requires a complete restart of the browser. If an extension can update its filter set without requiring a complete extension update and the corresponding browser restart, it should.

In fact, since Javascript is capable of self-modification it’d be nice to see extensions that could update themselves on-the-fly, only updating the actual files on the disk when the browser is restarted.

Does NOT work for Slashdot.org

Unfortunately. No https for slashdot.org - why not Slashdot? Comments on politically orientated stories from "sensitive" countries does not deserve to be encrypted? You should know better Slashdot

Re:Does NOT work for Slashdot.org

[Lingerance]

That's a subscriber feature.

Re:Does NOT work for Slashdot.org

[FriendlyLurker]

That's a subscriber feature.

So to narrow down people posting politically sensitive stories (say, whistle-blower type stories) from a country, it is merely necessary to cross check banking records against payments to Slashdot. Slashdot should know better.

Re:Does NOT work for Slashdot.org

[ConceptJunkie]

It's not /.'s job to provide a secure means for posting politically sensitive stories. It would be nice if that's possible but that's not what they are in the business of doing, so I don't think it's fair to suggest /. "should know better".

I'm sure they know perfectly well, and I'm sure that the decision support HTTPS this way is also an economic and technological decision. /. is a business, not a charity, and not a public service (although it provides public service as part of its business model). If /. advertised itself _primarily_ as a forum for free, uncensored speech or a forum for communicating with people in less free circumstances then it's a fair cop.

It's one thing to suggest /. _should_ do this (and I think they should, all things being equal), but it's another to say (or imply) it is wrong for them not to.

On the other hand, like Microsoft, busting on /. is fun and often justified, so I wouldn't mind piling on. They're such insensitive clods!

Re:Does NOT work for Slashdot.org

[ultranova]

/. is a business, not a charity, and not a public service (although it provides public service as part of its business model).

Every time I hear "is is a business, therefore it doesn't have to care about anything besides profit" I turn a little more to the left. Seriously, did CEOs mistake Soviet propaganda as instruction manuals or something?

It's one thing to suggest /. _should_ do this (and I think they should, all things being equal), but it's another to say (or imply) it is wrong for them not to.

If it's not wrong for them to not do something, then why should they do it?

Re:Does NOT work for Slashdot.org

[FriendlyLurker]

It's one thing to suggest /. _should_ do this (and I think they should, all things being equal), but it's another to say (or imply) it is wrong for them not to.

You might be right. However we do not have to look far (e.g "Thailand Shuts Down 43,000 More Websites", or "FBIs Facebook Monitoring Leads To Arrest In England" both a few stories back) - to see that social network sites like /. are being sniffed, scanned, intercepted and profiles built up for normal citizens all around the world. 43,000 Websites have been shutdown or blocked in Thailand, and it would be naive to think they wouldn' also t sniff plain-text posted on those websites from Thai based IP's to identify problematic Thai citizens, who now may be on government watch list's - just waiting for a visit from local authorities, firing from Gov departments, or any other manner of persecution the regime see's fit to deal out.

It might not be Slashdot's job or responsibility to offer even the most minimum technological security https offers to users - but it may reflect pretty poorly on Slashdot as a technology orientated social networking site - if they do not set a good example in the proper use of technology, who will?

Re:Does NOT work for Slashdot.org

[jesset77]

If it's not wrong for them to not do something, then why should they do it?

Wait.. Let me make sure I'm getting your double negatives straight here. Are you saying that the amorality of an inaction robs motive from the corresponding action? It's not wrong for me to not eat a potato chip right now. So why eat a potato chip? Do I have to be arrested for setting the potato chip down before I can omnom with a clear conscience?

Dewd, your world sux! I am glad I don't live there. ;D

Self-signed certs are vulnerable to MITM

[tepples]

It is not an error to run a site with a self-signed certificate

A man in the middle could insert his own self-signed certificate, decrypting the traffic from your site and reencrypting it with his own key pair, and users would be none the wiser. One workaround is to start your own CA, sign its root certificate with PGP, and distribute that cert to your users to install. But then that starts to depend on the PGP web of trust, which in turn depends on air travel to get keys signed.

Re:Self-signed certs are vulnerable to MITM

[swillden]

It is not an error to run a site with a self-signed certificate

A man in the middle could insert his own self-signed certificate, decrypting the traffic from your site and reencrypting it with his own key pair, and users would be none the wiser.

So that just means that the site isn't secure. Fine. FF shouldn't display the lock icon, or color the address bar. But that's no reason to treat the connection as an error. The appropriate thing to do is to present the site as insecure (which it is), but to go ahead and encrypt the link. Ideally, FF should go one step further and use SSH-style server key history. Silently (or with a small "new key, do you want to accept it?" dialog) accept and use the self-signed certificate, and then puke hard if the certificate ever changes without good reason (i.e. old cert expired or was replaced with a proper certificate).

By making these small changes, browser makers could significantly increase the average security of the web, so that sites that will otherwise have to go with unencrypted HTTP can use HTTPS -- even if MITM attacks are still possible, and if security shouldn't be relied upon, this sort of "opportunistic" encryption can make casual snooping significantly harder. That's a good thing.

Re:Self-signed certs are vulnerable to MITM

[roman_mir]

You are still missing the point. There is no SSL Error, there only needs to be an SSL Warning: self signed certificate.

The users are given certificate numbers as well as user names / temporary passwords. They are instructed to check that the certificate is correct when the browser makes the connection or to install certificate if they can by themselves.

--

Every single person replying to me has completely ignored this issue:

SSLInsecureRenegotiation on

which is a much more important one - regardless of whether the certificate is signed by CA or not, the MITM is still possible and my business model actually fixes this but not technologically, it fixes it operationally.

Nobody is talking about it here at all, looks like they don't get it. IE and earlier FF versions cannot even make the connection unless this flag is on.

Re:Self-signed certs are vulnerable to MITM

[Rich0]

Agreed - security isn't all-or-nothing. It is like having a builder refuse to put a lock on a house door, because the house has windows without bars so the lock is just false security.

By all means the browser should communicate the relative security of a connection, but an ssl connection with a self-signed cert is NO LESS SECURE than a non-ssl connection. The errors generated by a browser would imply that the non-ssl connection is actually more secure. Indeed, if you want to mitm a bank you're probably just best off creating a non-ssl connection with the victim, and relaying the traffic to the bank via ssl. I doubt most users would notice the missing https/etc, and the browser won't given them any warnings, since browser designers treat non-ssl traffic as safe - since it is so ubiquitous.

It is based on NoScript, in fact

From TF (and missing) A:

Our code is partially based on the STS implementation from the groundbreaking NoScript project.

Re:firefox doesn't really make it easy for the use

[Culture20]

But most unfortunate thing about FF is how it treats the self-signed certificates. It shows it as an SSL ERROR, to which exceptions must be made for the user to be able to enter the site. Can FF developers think about this fact for like longer than a second? It is not an error to run a site with a self-signed certificate, it is a configuration choice and it provides an important role to the site: encrypted traffic for login and for the data transferred to and from the client.

Why is FF showing this to the users as an error? This is not an error, this is by design and it is a special case of usage.

Because to verify a self-signed cert, every user has to call the site maintainer on the phone. Self-signed certs or Corporate CAs are great for in-house use where the sysadmins can install the certs for everyone, but since FF can't tell whether your unrecognized cert is being used to just feed html data to a user, or if the user is being asked to enter something confidential, it can't make a distinction between a reasonable use for self-signed and a MitM attempt. Since bad admins had been training people to "just click okay on the cert" for half a decade, FF took their warning up a notch and made people jump through hoops before they succumb to a potential MitM.

facebook

[aneamic]

Am I the only person getting a 'chat is disabled on this page' bubble everywhere when using this plugin on facebook?

Re:facebook

[Culture20]

Facebook's chat feature is http-only. My guess is it was a simple way to keep chat from working on the password reset pages (to prevent chat from stealing focus while typing in a password).

I see two things wrong w/ this...

[HTMLSpinnr]

1. For classic shared hosting solutions using name based hosting, I can almost guarantee if you hit https:///, you're going to hit someone else's virtual host. Many cheap hosting providers w/ limited public IPs will load up domain names on a single IP/Port, but still provide secure hosting to one domain name (on the same port) for shopping cart checkout under a different domain name. Using such a plugin in this use case would not work so well. Then again, would most "smaller sites" really be worthy of encryption in the first place?

2. Not every site is designed w/ the same content root in http vs https. Switching from http to https may completely break if the file structures under the two virtual hosts (potentially entirely separate in Apache) aren't identical (i.e. pointing to the same directory). I'm not touting that this is a best practice, but would be completely feasable if you wanted to keep specific content from being accessed via http and didn't want to bother with mod_rewrite or equivalent.

To the poster above who says there's little CPU penalty for SSL, SSL may not be taxing on the client, but hundreds or thousands of sessions on a server (especially one hosting an app, DB, and Apache) may be another story. Why is someone's assumed paranoid that someone will see that they're reading about cars or home theater equipment on a forum worth requiring a service owner to scale his hardware to the next level to maintain acceptable performance (assuming this phenomenon is multiplied hundred-fold)?

Re:I see two things wrong w/ this...

[HTMLSpinnr]

Woops, that should be https://www.[my lame site].com

Re:I see two things wrong w/ this...

[HTMLSpinnr]

A curious question, that. You're asking what it is worth to the user of a site to justify the demands placed upon the operator of the site. You pose it as "demands upon the server", yet simply visiting a site creates demands upon the server. More people, more demands.

How is asking for HTTPS different from asking for "reasonable page load times", or "video feeds without compression artifacts"? On the user's side, one has little to no influence over (or even knowledge of) OTHER traffic to the site. The answer for the user is, "MY demand on the server is small, what's the problem?".

The only answers on the operator's side are "I want your traffic", or "I don't want your traffic".

The loads on the web server are a bit higher for HTTPS encryption than just passing fat content created by a developer without any common sense of bandwidth consumption.

Now if you're referring to server-side generated content contributing to page load times, then HTTPS isn't helping that provided the same server that is generating is the one doing the encryption.

Re:slashdot, HTTPS please!

[phyrexianshaw.ca]

yeah, because we all need to hide things more and more instead of being responsible for our own actions.

please. there's nothing that goes on on /. that requires encrypted communication.

Re:firefox doesn't really make it easy for the use

[Burz]

Why is FF showing this to the users as an error? This is not an error, this is by design and it is a special case of usage. Who is not frustrated by the browser treating self signed certificates as if they are some sort of a disease? They provide an important role - a way to secure communications between the server and the browser.

It is an error in judgment on Mozilla's part. Their increasing institutional-mindedness is causing them to send users always into the arms of the CAs -- preferably with no exceptions. The mindset has blinded them to the fact that is it a relatively straightforward UI design issue. Speaking of which, if I were in charge at Mozilla the first thing I would change about the cert warning dialog would be to display the server's fingerprint so its immediately in the user's face. Imagine if websites could publicize their fingerprints (say, on their company letterhead, business cards, in a voicemail menu option, etc.) so anyone could verify your self-signed cert with a little effort. That and a more ssh-like cert recognition could enable a revolution in security.

Re:NoScript over-engineered

[djnforce9]

I couldn't agree more with you. I used NoScript for a little while and it was a pain having to whitelist sites one by one as I visited them. For areas I don't trust, I simply can shut off the JavaScript and Flash engine altogether (ESPECIALLY flash which some sites abuse by hosting very loud ads playing horrible music out of nowhere). Also handy for web development when I need to see how a page I am working on responds when someone enters without JavaScript enabled.

Re:slashdot, HTTPS please!

[Peach+Rings]

How about sending your login credentials to the server? That's not encrypted.

mod this guy up

[Sloppy]

How ridiculous is it, that people get their bank's identity vouched for by a third party they have never met and don't know anything about, when the bank could just put up a fingerprint sign in their lobby and on their paper statements? And people say using a CA is more secure, and less vulnerable to MitM? Really?!?

You're not dealing with this right.

[raehl]

It's silly NOT to expect a business to care about anything other than profit. Profit is pretty much the sole determination as to whether a business survives.

And there's nothing wrong with that. Once you ACCEPT that a business should only care about maximizing profit, then you understand how to get a business to operate in an ethical manner: Make it profitable.

You can do that with consumer pressure, laws, taxes, penalties, subsidies, handouts....

So don't get upset that businesses are only interested in profits. Embrace it and make it work for you!

Re:CPU overhead

[Thing+1]

SSL certs cost money

In fact I just researched this, and found a site that sells a cert that 99% of the current browsers accept, for about $70/year (lower when purchased in bulk). Sure, that completely aligns with your statement -- it isn't free -- but your statement sounds more like Jamie Lee Curtis saying "Food costs money, rent costs money, things cost money Louie; you sleep on the couch" than it does "stop buying coffee at Starbucks for a month and it's paid for".