Open claustromaniac opened 5 years ago
It seems a bit too early to do that without hampering the UX. You should wait for when major browsers mark HTTP as insecure by default (there are flags for it in Firefox and Chromium but defaults only mark pages with password/text fields, respectively)
As of now, I think of HTTPZ as a (potentially) better-coded alternative of Smart HTTPS as it doesn't require whitelists to work properly most of the time. However, if automatic mode was disabled or not recommended by default, the extension would become niche (like NoScript) where it can only spread across "smart" users.
I don't want to set the bar high either but, realistically, there is a lower bound because of the way the extension works. Since it's automatic, the user is expected to whitelist sites when necessary. There is no way around it. The alternative is to use HTTPS Everywhere. That's also part of the reason I didn't bother much making the documentation newbie-friendly, but I want to improve those aspects eventually.
Since I opened this issue I have considered some other ideas, and was planning to sit on this for some more time. Currently, I'm more inclined to just add onboarding and upboarding pages (the pages that open in separate tabs when the extension is installed/updated) presenting users with some basic information and recommending them to turn off the automatic mode, but I'll think some more about it.
I appreciate your input. Thank you.
I don't want to set the bar high either but, realistically, there is a lower bound because of the way the extension works. Since it's automatic, the user is expected to whitelist sites when necessary. There is no way around it. The alternative is to use HTTPS Everywhere. That's also part of the reason I didn't bother much making the documentation newbie-friendly, but I want to improve those aspects eventually.
Well, there is still a difference in adding a single broken site to the whitelist vs getting warnings on every HTTP site.
I think of the automatic mode as a big reason why HTTPZ is "zmart" compared to other similar extensions like this one.
Well, there is still a difference in adding a single broken site to the whitelist vs getting warnings on every HTTP site.
Sure. I was just trying to point out that no matter how low I try to set the bar, it will never be install-it-and-forget-it low (like HTTPS Everywhere), because HTTPZ requires user interaction sooner or later. Also, ideally, users should understand how the extension works well enough to make informed decisions when they set it up - that's what I'm trying to get at here - but I can't hope to teach infosec to full newbies either. So, finding the perfect balance between security and ease of use is a little harder than it seems.
Now that Firefox marks HTTP insecure, this could be continued to be considered.
Also, ideally, users should understand how the extension works well enough to make informed decisions when they set it up - that's what I'm trying to get at here
I would now propose the #43 approach - a permanent button. This is the best way to explain to users what is happening to the current site.
E.g.
explain to users what is happening to the current site
That is beyond the scope of the extension.
It makes sense to inform users any given time HTTPZ does not have to do anything, but informing the precise reason requires additional unnecessary processing, and the extension would not even be able to detect some of those causes (like when another extension redirects the request to HTTPS: there is no way for an extension to know what any other extension is doing, except when the other extension is designed to report its own behavior). It would take additional code complexity that would not even necessarily stand the test of time well (= more maintenance). Not to mention that detecting some interactions would require more permissions.
Fair enough, reporting only HTTPZ status would be fine too.
Related to #8
Here is what I'm thinking:
error.htm
likedon't show me these warnings again
that, when pressed, shows a warning recommending users to leave the Automatic Mode off if they installed the extension recently or if they're connecting over an untrusted network (such as a wifi hotspot)Note that this is only meaningful in automatic mode.
I should remove that statement and instead recommend users not to disable that option unless they understand the consequences.