HTTPS Always vs HTTPS Enforcer

General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
fatboy
Astronaut
Astronaut
Posts: 556
Joined: 2017-12-19, 08:03
Location: Canada

HTTPS Always vs HTTPS Enforcer

Unread post by fatboy » 2022-08-24, 21:37

Good Day Folks.

So I am thinking of using one of these two addons

#1. HTTPS Always or
#2. HTTPS Enforcer.

I want to better understand how each of them work before I can make an informed decision.

My understanding of how each of them work is as follow:
#1. HTTPS Always prefer HTTPS over HTTP and tries to upgrade HTTP to HTTPS, and if the "upgrade" isn't an option it still accepts unencrypted HTTP traffic?
#2. HTTPS Enforcer Blocks HTTP traffic, but can also request that HTTP connection be upgraded to HTTPS, and if not block the HTTP connections?

My questions are as follows:
1) Is blocking http traffic a good thing?
2) Which one would yield the most secure browsing experience, and why?
3) Is it better to use both at the same time?

At this point HTTPS Enforcer seem like the better option, but I am unsure?

Thanks
Systemd Free - MX Linux, Antix Linux & Artix Linux

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 647
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: HTTPS Always vs HTTPS Enforcer

Unread post by RealityRipple » 2022-08-24, 22:34

You're not going to find much support for blanket https-ing here; most the content on the internet has no reason to be transmitted over secure channels. The best argument that can be made for https on websites where you don't have an account would be the potential for man-in-the-middle attacks, which you shouldn't have to worry much about anyway, since they're sites you tend to visit in a "read-only" capacity to begin with. Websites that should be secure tend to already be secure - or as secure as one can expect from web developers. Websites that aren't usually have no reason to be. TBH, your security and privacy can better be served by an adblocker, as ad services do much more harm in their tracking capacities than any malicious attacker or spy ever could.

htuyar
Moonbather
Moonbather
Posts: 69
Joined: 2015-09-11, 10:19
Location: Istanbul

Re: HTTPS Always vs HTTPS Enforcer

Unread post by htuyar » 2022-08-24, 22:40

Hi,

I'm the maintainer of the HTTPS Enforcer addon.
fatboy wrote:
2022-08-24, 21:37
#2. HTTPS Enforcer Blocks HTTP traffic, but can also request that HTTP connection be upgraded to HTTPS, and if not block the HTTP connections?
Yes. It also supports a white list of domains to which HTTP connections will be allowed.
fatboy wrote:
2022-08-24, 21:37
1) Is blocking http traffic a good thing?
With most sites already supporting HTTPS, it's probably not that necessary anymore. It might help with misconfigured sites and It also wouldn't hurt other than causing some inconvenience.
fatboy wrote:
2022-08-24, 21:37
2) Which one would yield the most secure browsing experience, and why?
Being whitelist based and blocking by default, I'd guess HTTPS Enforcer is more "secure". But it also breaks sites which do not support HTTPS. You might get around this by whitelisting any such sites (at least the ones that you use often).
fatboy wrote:
2022-08-24, 21:37
3) Is it better to use both at the same time?
I don't see a scenario where this would make sense.

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: HTTPS Always vs HTTPS Enforcer

Unread post by vannilla » 2022-08-24, 22:41

As RealityRipple said, in 2022-almost-2023 you don't need any of those as every site is already HTTPS and those that aren't do so consciously, so if anything you are going to break certain sites and nothing else.

htuyar
Moonbather
Moonbather
Posts: 69
Joined: 2015-09-11, 10:19
Location: Istanbul

Re: HTTPS Always vs HTTPS Enforcer

Unread post by htuyar » 2022-08-24, 22:56

vannilla wrote:
2022-08-24, 22:41
... as every site is already HTTPS and those that aren't do so consciously ...
Although I generally agree with this, I can't be that confident about every site owner making such decisions conciously and executing them proficiently.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: HTTPS Always vs HTTPS Enforcer

Unread post by Moonchild » 2022-08-25, 00:38

htuyar wrote:
2022-08-24, 22:56
I can't be that confident about every site owner making such decisions conciously and executing them proficiently.
If they aren't proficient enough to implement https properly, then you can be doubly-sure they won't do well with you forcing https on them :P

As already said by others, this kind of enforced "https everywhere and always" using client-side manipulation really no longer has a use; its use was even kind of limited when the push for https was still in its infancy.
I strongly advise against using this - you can expect some breakage with no real practical benefit.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
fatboy
Astronaut
Astronaut
Posts: 556
Joined: 2017-12-19, 08:03
Location: Canada

Re: HTTPS Always vs HTTPS Enforcer

Unread post by fatboy » 2022-08-25, 14:27

Thank you all for the great comments and feedback. I now understand the web a little better.

I think I will be uninstalling HTTPS Always, and be keeping HTTPS Enforcer for a while, just to see how it operates, but will probably end up uninstalling eventually.
Systemd Free - MX Linux, Antix Linux & Artix Linux

User avatar
4td8s
Moonbather
Moonbather
Posts: 67
Joined: 2018-08-18, 23:54

Re: HTTPS Always vs HTTPS Enforcer

Unread post by 4td8s » 2022-09-03, 22:54

vannilla wrote:
2022-08-24, 22:41
As RealityRipple said, in 2022-almost-2023 you don't need any of those as every site is already HTTPS and those that aren't do so consciously, so if anything you are going to break certain sites and nothing else.
not every site out there uses HTTPS

the mozillaZine forum site, for example, still uses HTTP (not HTTPS) and has some issues with HTTPS

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: HTTPS Always vs HTTPS Enforcer

Unread post by vannilla » 2022-09-03, 23:51

4td8s wrote:
2022-09-03, 22:54
not every site out there uses HTTPS

the mozillaZine forum site, for example, still uses HTTP (not HTTPS) and has some issues with HTTPS
Please re-read what I wrote. Maybe we found a place run by incompetent people, but that does not mean every plain HTTP site is managed by fools in 2022-almost-2023.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: HTTPS Always vs HTTPS Enforcer

Unread post by Moonchild » 2022-09-04, 00:39

FTR, several Pale Moon websites are HTTP too (although to shut up whingeing I made them available over HTTPS also, even if HTTPS isn't necessary for public information that doesn't otherwise handle personal information like accounts)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked