Improving Opportunistic Encryption (OE) Topic is solved

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
sinfulosd
Apollo supporter
Apollo supporter
Posts: 34
Joined: 2022-07-13, 03:01

Improving Opportunistic Encryption (OE)

Post by sinfulosd » 2024-11-12, 05:41

I was not aware of this feature being on the browser, until I've been tempering with the preferences and I noticed what that was and I decided to use and do some tests with it. The feature looks great. However, I've been testing this feature to see if it would replace the usage of me having HTTPS add-on installed on the browser and I'm not confident to admit that it can replace it, due to the browser feature missing some key components, in comparison to the HTTPS add-ons
  • If the server doesn't support Upgrade Insecure Requests, then the browser option will do nothing whatsoever. HTTPS Inquirer, somehow, still detects HTTPs availability on non-UIR supporting servers (I think it's because it additionally has the "Fall back to GET" option of HTTPs detection, if the UIR header is not sent back by the server).
  • The browser option will always send an unencrypted request first, which could be attacked by a MitM. A saved HTTPS Always rule will skip the unencrypted request and prevent this type of attack.
Those 2 key components that exists on the HTTPS-enforcing addons and do not exist on the native OE feature are very important to have. Why not implement these 2 QoL changes into the browser feature? :?
Linux Mint 22.1 x64 Cinnamon
Pale Moon 33.8.0, Firefox 140.0, Ungoogled Chromium 138.0
Top
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 38378
Joined: 2011-08-28, 17:27
Location: Motala, SE

Re: Improving Opportunistic Encryption (OE)

Post by Moonchild » 2024-11-12, 08:32

sinfulosd wrote:
2024-11-12, 05:41
 If the server doesn't support Upgrade Insecure Requests, then the browser option will do nothing whatsoever.
That is exactly as-intended. If the server does not support/respond to an OE request then the browser should not decide on its own to change the requested protocol. It's called "opportunistic" for a reason.
sinfulosd wrote:
2024-11-12, 05:41
 The browser option will always send an unencrypted request first, which could be attacked by a MitM.
This is what HSTS is for.
sinfulosd wrote:
2024-11-12, 05:41
 HTTPS-enforcing addons and do not exist on the native OE feature are very important to have.
Then by all means, if this is very important to have for you, use the HTTPS-enforcing (note the difference between "enforcing" and "opportunistic") add-ons. It's why Pale Moon is extensible.
sinfulosd wrote:
2024-11-12, 05:41
 Why not implement these 2 QoL changes into the browser feature? :?
A bit more in-depth in response to this: they are not quality-of-life changes. What you're asking for is bypassing the mechanisms for opportunistic encryption and forcing the protocol to https whenever the server seems to support it (which would require guesswork on the browser's side) and not the server indicating that "Yes, we are OK with this, you can use https if you want for the same request". the same kind of thing goes for HSTS: unless the server indicates they promise a long-term commitment to HTTPS through HSTS headers, you shouldn't lock out http as a protocol for it.
Also, keep in mind that ultimately, these technologies are transitional: they were designed to be used when a website is transitioning from http to https, and explicitly excludes situations where a website provides http and https separately on purpose. These technologies are based on client-server agreement, not enforcement.
"There is no point in arguing with an idiot, because then you're both idiots." - Anonymous
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Top

Return to “Browser Development”