Force https on websites

[arshubham]

It would be best if it is done with a off switch for the session. Smart HTTPS extension for Firefox is a great example.

• https://github.com/ilGur1132/Smart-HTTPS
• https://addons.mozilla.org/en-US/firefox/addon/smart-https-revived/

[4jNsY6fCVqZv]

Hi, that's a good idea! I think Tor uses a built-in HTTPS Everywhere, which I also consider trustworthy. Smart-HTTPS, on the other hand, doesn't look so well maintained at first glance. But is there even an integrated solution from WebKit? That would be wonderful!

[TingPing]

But is there even an integrated solution from WebKit?

No.

The HTTPS Everywhere approach is simple and Epiphany implements this so it can be copied over (it has a helper library to parse the format (in Vala even I believe)).

There are downsides to that approach though since you have to keep a list of every website known to man in it for it to have good coverage which wastes a ton of memory, has to be maintained, and will never cover all sites.

The Smart HTTPS approach just adds latency but will generally cover more sites and be lighter/easier to maintain. The downside is potential downgrade attacks because WebKitGTK doesn't support HSTS yet (should be done in the release after this one) and when the sites don't use HSTS.

[arshubham]

The Smart HTTPS approach just adds latency but will generally cover more sites and be lighter/easier to maintain. The downside is potential downgrade attacks because WebKitGTK doesn't support HSTS yet (should be done in the release after this one) and when the sites don't use HSTS.

I agree with this. One way to resolve this is to give user an option to downgrade for the session instead of automatically downgrading, in case any error occurs and assign responsibility to the user. As more and more websites enable https it is becoming less of an issue.

[4jNsY6fCVqZv]

Meanwhile WebKitGTK supports HSTS https://webkitgtk.org/2019/09/09/webkitgtk2.26.0-released.html What new possibilities does this open up for solving this issue and enabling secure connections by default?

[janxkoci]

Maybe this would be worth considering: https://spreadprivacy.com/duckduckgo-smarter-encryption/

They have better coverage than HTTPS Everywhere thanks to Duckduckgo webcrawler.

[cassidyjames]

@janxkoci they say their list is available under a Creative Commons NonCommercial license… it's unclear if Ephemeral's use would be considered noncommercial since it's a monetized app (even though you can get it for free). Hm.

[TingPing]

The CC is purposefully vague, they use the phrasing "primarily intended for or directed toward commercial advantage or private monetary compensation". I don't think a pay-what-you-want use-case has ever been court tested but I'd probably say its still against the spirit of the NC clause.

[janxkoci]

against the spirit of the NC clause

I'm not a native speaker, do you mean it would pass or not?

[TingPing]

Only a judge in your jurisdiction can say it passes or not. I think it should probably be avoided.