Rebrand "Block all unencrypted requests" feature

[Hainish]

Type: other

"Block all unencrypted requests" is a phrase which is overly verbose and hard to reference. We keep on using the BAUR initialism when we don't want to type it out.

I suspect this feature will be used more and more as the web gets better and better HTTPS coverage. To make this feature easily referenceable and neater, I propose we rebrand it to something a bit nicer.

In the past we've used the phrase "HTTP Nowhere Mode", but this isn't properly descriptive since this mode blocks FTP connections now as well.

We will do some user testing on what makes the most intuitive sense for this feature, but I'd like to throw a few options out and see if they float or swim.

1. Secure-Only Mode
2. Encrypted-Only Mode
3. Turbo-Secure Mode
4. Security Ensured Mode
5. Encryption Ensured Mode

Before coming up with other options, I was leaning towards (1) as a personal preference. But listing out these options, I actually like (5) the best. Next to any of these options in the drop-down, I'd like some help bubble text saying "This blocks all unencrypted requests" or something that better explains what this does.

cc @zoracon @J0WI @Bisaloo @cschanaj

[jsha]

Part of my mental model for this: I would like to make it easy for people to contact website owners and say "Hi, your website doesn't work in HTTPS Everywhere's , please fix that."

So it should be fairly short, sound very positive so the site owner is like "ooh yeah I should support that," and be reasonably self explanatory (though it will still need some explanation)

[Bisaloo]

I haven't given too much thought about it but what about "HTTPS only"? Although it may not be 100% technically accurate, that's probably the most intelligible option for non-technical users.

I would be wary of phrases with "secure" because it may give the false (and already way too common) impression that the other party is trustworthy.

For some reason, I like (1) and (2). I don't know why but "XXX-only" options sound better to me. Maybe because it's easier to understand even for non-native speakers (?)

[J0WI]

I just checked and Firefox uses "secure" for HTTPS (if click on the padlock), but for me security is not only HTTPS.

[cschanaj]

HTTPSE do not block .onion site in BAUR mode as well, so I guess something like "Encrypted connections only"/ "Obfuscated connections only" is more appropriate?

[Hainish]

@cschanaj that's interesting. I don't think it passes the test @jsha has in mind for this, though.

Now I'm starting to lean towards option (2). Thanks @Bisaloo for raising the native speaker point, that should clearly be a priority.

[Hainish]

I'm going to give this till the end of the week until I call it for (2) Encrypted-Only Mode.

[jsha]

Two more contenders:

(6) Full Encryption Mode (7) Always-On Encryption Mode

[Hainish]

One thing that comes to mind is that Encrypted-Only Mode is abbreviated as EOM, which isn't great.

[Hainish]

In which case I think I'm leaning back towards Encryption Ensured Mode. EEM sounds kinda cool as an abbreviation too. If no one objects by the end of the day tomorrow let's go with EEM! :smile:

[Hainish]

After some internal discussions we've landed on "Encrypt All Sites," which is a reasonable simplification of what we're trying to do. This may lead some to think that even sites that don't have HTTPS will be encrypted, so we're going to include some question-mark in a circle or other tooltip helper to explain exactly what Encrypt All Sites mode does.

[Hainish]

Drafting some tooltip text:

"This will block all unencrypted connections from being made in your browser, and attempt to upgrade all site visits to HTTPS. Sites that do not support HTTPS will not be upgraded, but you will be given the option to disable HTTPS Everywhere for these sites if you wish to access them insecurely."

[jsha]

I think this is good, but we can remove the "block" language since that's explained clearly later in the statement:

"This will attempt to upgrade all requests to HTTPS. Sites that do not support HTTPS will generate an error, but you will have the option to bypass the error for specific sites."

[zoracon]

I like "Encrypt All Sites Eligible" since it provides the context to these user that we will enforce encryption when available and the tool tip will answer the question of what happens when it is not.

[Hainish]

Plus the acronym is "EASE" which is pretty nice!

[dr-1]

I find "Encrypt All Sites Eligible" confusing (eligible how?). Landed here when trying to find out what's going on with that. Some of the other suggestions above, and even the original phrase, were clearer in my opinion.

[jsha]

Thanks for the feedback, @dr-1! Is it particularly the "eligible" part you find confusing? I.e. would "Encrypt All Sites" be clearer?

[dr-1]

Yes, "eligible" sounds like the plugin applies some selection criteria to decide whether encryption is used, whereas what this option really does is insist on HTTPS for all connections, if I understand correctly. "Encrypt All Sites" can also lead users to think that the plugin is doing its own encryption, and doing it on all sites regardless of how they are set up. Of course they'll find out that's not the case when an error message comes up about HTTPS being unavailable on a particular site, but why not describe it more accurately from the start. "Block All Unencrypted Requests" said it all. I think "Encrypted-Only Mode", "Encryption Ensured Mode" or "HTTPS Only" do, too.

[thwaller]

I also landed here in effort to learn what "Encrypt All Sites Eligible" means and does. Oddly, there seems to be no documentation anywhere that explains this in any way. I agree that the ability to say/use "EASE" is nice, but in this case "Block all unencrypted requests" would not have required me to seek a meaning of the feature. I would personally opt for the old name as it was clear, the new is not clear.

[Hainish]

@thwaller thanks for the feedback! We're in the middle of an entire extension redesign, which will include a tooltip (?) right next to the EASE mode label to explain what it does. I agree it's a little obscure and can use some clarification - we're on it!

[thwaller]

@Hainish thanks for the reply. Aside from the tooltip idea, what I was looking for is a getting started type of screen, whether in/from the app or on your web site. Obviously in the app would be ideal, but it would be easier, and faster, to add a segment to the web site. Thanks for the work on this.

[tobico]

Just installed the extension, and I'm finding this option quite confusing. Which sites are eligible, is there a whitelist somewhere? And what does the extension even do if this option isn't enabled? If unencrypted requests are being allowed then I don't have HTTPS everywhere.

[Bisaloo]

Thanks for the feedback! We still definitely need to add the tooltip mentioned in https://github.com/EFForg/https-everywhere/issues/16985#issuecomment-467538523. Hopefully, it will clear things up.

To answer your questions here:

Which sites are eligible, is there a whitelist somewhere?

All connections are upgraded to HTTPS or blocked, unless there is a specific action from the user ("Open insecure page")

And what does the extension even do if this option isn't enabled?

Connections are upgraded to HTTPS on all sites where volunteers have checked HTTPS is correctly configured and this does not break the site functionality. This guarantee does not exist with EASE (if the website manager configured HTTPS but not correctly, you might have issues, such as videos not playing, etc.)

[zoracon]

@tobico If you would like further reading to understand more scroll down to "EASE" portion of this post https://www.eff.org/deeplinks/2018/12/how-https-everywhere-keeps-protecting-users-increasingly-encrypted-web

We realize the language of EASE is a but confusing, and working to clear that up with either a language change or as a last resort, a tooltip.