Load sites over http if https is not available

[rsevat]

I'd like to propose a feature that if a website is not available over https that the plugin will automatically load the website over http.

This does however have a security implication, active attackers can force you to connect over http by blocking https packets. The risk of this could be mitigated by keeping track of whether sites have been visited successfully over https previously and refusing to accept http in that case.

By having the plugin load pages over http automatically if https is not available, the plugin becomes a lot more convenient to use. I propose making this user configurable so that users can choose their security level.

Alternatively a shortcut can also be implemented to reload the page with http:// prefixed to the url. With current behavior, having to type that your self, it's not as convenient as it can be.

Another nice addition would be having an extra warning symbol like a red cross in your url bar to draw attention to the fact that the plugin loaded the page over http because https was unavailable.

[Rob--W]

Automatically switching from https to http in case of failure is a bit against the objective of the addon.

But an option to make it slightly easier to switch to "http:" doesn't hurt.

[lcharles123]

I have encountered me with some sites that have https but are self-signed, then, could return to http automatically to prevent exception confirmation messages.

[Lekensteyn]

@SINE This extension is only about the location bar, things like CSS are not forced over HTTPS.

A whitelist would indeed by nice, there are some sites I know that will very unlikely have proper SSL/TLS support.

[Geremia]

@Lekensteyn What do you mean that

@SINE This extension is only about the location bar, things like CSS are not forced over HTTPS.

?

This extension doesn't make HTTPS Everywhere obsolete? HTTPS Everywhere is still required to use HTTPS for sites not accessed by typing the URL in the location bar?

[Rob--W]

@Geremia

This extension doesn't make HTTPS Everywhere obsolete? HTTPS Everywhere is still required to use HTTPS for sites not accessed by typing the URL in the location bar?

Yes, that's right (for now).

The addressbar experiment has been running for a while, and besides this ticket there are no reports/complaints about usability. So I think that I'll add an easy way to (temporarily) switch to HTTP for a specific site, and force https for all other links. When that is implemented, then HTTPS Everywhere is not required any more.

[Geremia]

@sukosevato I think HTTPS Everywhere does this already. The no-longer-maintained HTTPS Finder does this, too.

[magicgoose]

Silent fallback to plaintext would make HTTPS pointless because MitM can just block port 443 and then happily intercept your plaintext data. And if the website uses something like cookies without proper flags or the user is just not paying attention at this moment, their data is pwned.

[Rob--W]

Version 0.4 includes an exception list (empty by default) to allow you to not use https by default for some sites (see the add-on settings page, available at the extension listing in about:addons). That should cover the use cases from this feature request.

[Smile4ever]

@Rob--W For me, it would be useful to have only the "local" top level domain (with a site like https://myapp.company.local) fall back to HTTP when HTTPS is not supported. In fact, it's just upgrading those connections whenever possible.