Pale Moon forum

Good Day Folks.

So I am thinking of using one of these two addons

#1. HTTPS Always or
#2. HTTPS Enforcer.

I want to better understand how each of them work before I can make an informed decision.

My understanding of how each of them work is as follow:
#1. HTTPS Always prefer HTTPS over HTTP and tries to upgrade HTTP to HTTPS, and if the "upgrade" isn't an option it still accepts unencrypted HTTP traffic?
#2. HTTPS Enforcer Blocks HTTP traffic, but can also request that HTTP connection be upgraded to HTTPS, and if not block the HTTP connections?

My questions are as follows:
1) Is blocking http traffic a good thing?
2) Which one would yield the most secure browsing experience, and why?
3) Is it better to use both at the same time?

At this point HTTPS Enforcer seem like the better option, but I am unsure?

Thanks

You're not going to find much support for blanket https-ing here; most the content on the internet has no reason to be transmitted over secure channels. The best argument that can be made for https on websites where you don't have an account would be the potential for man-in-the-middle attacks, which you shouldn't have to worry much about anyway, since they're sites you tend to visit in a "read-only" capacity to begin with. Websites that should be secure tend to already be secure - or as secure as one can expect from web developers. Websites that aren't usually have no reason to be. TBH, your security and privacy can better be served by an adblocker, as ad services do much more harm in their tracking capacities than any malicious attacker or spy ever could.

Hi,

I'm the maintainer of the HTTPS Enforcer addon.

fatboy wrote: ↑

2022-08-24, 21:37

#2. HTTPS Enforcer Blocks HTTP traffic, but can also request that HTTP connection be upgraded to HTTPS, and if not block the HTTP connections?

Yes. It also supports a white list of domains to which HTTP connections will be allowed.

fatboy wrote: ↑

2022-08-24, 21:37

1) Is blocking http traffic a good thing?

With most sites already supporting HTTPS, it's probably not that necessary anymore. It might help with misconfigured sites and It also wouldn't hurt other than causing some inconvenience.

fatboy wrote: ↑

2022-08-24, 21:37

2) Which one would yield the most secure browsing experience, and why?

Being whitelist based and blocking by default, I'd guess HTTPS Enforcer is more "secure". But it also breaks sites which do not support HTTPS. You might get around this by whitelisting any such sites (at least the ones that you use often).

fatboy wrote: ↑

2022-08-24, 21:37

3) Is it better to use both at the same time?

I don't see a scenario where this would make sense.

As RealityRipple said, in 2022-almost-2023 you don't need any of those as every site is already HTTPS and those that aren't do so consciously, so if anything you are going to break certain sites and nothing else.

vannilla wrote: ↑

2022-08-24, 22:41

... as every site is already HTTPS and those that aren't do so consciously ...

Although I generally agree with this, I can't be that confident about every site owner making such decisions conciously and executing them proficiently.

htuyar wrote: ↑

2022-08-24, 22:56

I can't be that confident about every site owner making such decisions conciously and executing them proficiently.

If they aren't proficient enough to implement https properly, then you can be doubly-sure they won't do well with you forcing https on them

As already said by others, this kind of enforced "https everywhere and always" using client-side manipulation really no longer has a use; its use was even kind of limited when the push for https was still in its infancy.
I strongly advise against using this - you can expect some breakage with no real practical benefit.

Thank you all for the great comments and feedback. I now understand the web a little better.

I think I will be uninstalling HTTPS Always, and be keeping HTTPS Enforcer for a while, just to see how it operates, but will probably end up uninstalling eventually.

vannilla wrote: ↑

2022-08-24, 22:41

As RealityRipple said, in 2022-almost-2023 you don't need any of those as every site is already HTTPS and those that aren't do so consciously, so if anything you are going to break certain sites and nothing else.

not every site out there uses HTTPS

the mozillaZine forum site, for example, still uses HTTP (not HTTPS) and has some issues with HTTPS

4td8s wrote: ↑

2022-09-03, 22:54

not every site out there uses HTTPS

the mozillaZine forum site, for example, still uses HTTP (not HTTPS) and has some issues with HTTPS

Please re-read what I wrote. Maybe we found a place run by incompetent people, but that does not mean every plain HTTP site is managed by fools in 2022-almost-2023.

FTR, several Pale Moon websites are HTTP too (although to shut up whingeing I made them available over HTTPS also, even if HTTPS isn't necessary for public information that doesn't otherwise handle personal information like accounts)