Closed Madis0 closed 4 years ago
claustromaniac
commented
4 years ago So what is so bad about it?
Let me turn your question around: what is so bad about the warning?
It says unless you know what you are doing, and you seem to understand the trade-off, so what is the problem?
Do you think I should rephrase it?
Madis0
commented
4 years ago Yes, I would propose this phrasing, with a clear button next to it:
Every time you navigate to a site that loads successfully over HTTPS, HTTPZ remembers its hostname, so as to avoid redirecting it back to HTTP if it ever fails in the future. That makes the following requests to it faster and minimizes the risk of MitM, however it also means that the hostnames you visit will be automatically saved in this extension's storage.
rusty-snake
commented
4 years ago @claustromaniac does RSS respects PrivateBrowsing? If not it should be added IMHO.
claustromaniac
commented
4 years ago @Madis0
with a clear button next to it
Do you mean the old Forget Secure Sites button? I removed it because it was too easy to click it by accident, and clearing that list is not something anyone should want to do so often as to feel it needs ease of access. I also felt it might have encouraged non-savvy users to clear the list every now and then, which to a great extent would have defeated the purpose of leaving the option enabled in the first place.
As for your proposed description:
That makes the following requests to it faster
That would be a misleading statement, because the difference in speed is in the order of microseconds. Even with old crappy hardware it is not significant.
and minimizes the risk of MitM
That is not technically true, or at least can be misinterpreted. In the event of a MitM attack, what the feature does is it tries to defend against it. In other words: the risk of a MitM attack taking place remains the same, the difference is the extension can thwart certain types of attacks aiming to exploit the extension itself. In that sense, the current description is accurate.
however it also means that the hostnames you visit will be automatically saved in this extension's storage.
That is (or at least I hoped it to be) implied in the first line of the description. For the extension to Remember Secure Sites, it has to save that information somewhere. I'm fine with specifying that it is saved in the local storage though.
Where is the warning though? I thought you wanted to rephrase it, not get rid of it altogether. Explaining how the thing works is ideal, and I tried to do that in the current description, but I did not want to elaborate on the trade-offs right there because the users that explanation would be aimed at would not necessarily understand them, or they may not get a full grasp of their significance, and I wanted to keep the text relatively short.
Careful users that have a decent understanding of security have little use for that feature because they are unlikely to take unnecessary risks to begin with. I get that, but I'm trying to think of other users too: the ones more likely to put themselves at risk. For them, I think this is a pretty good feature, because the amount of memory it uses up (both physical and RAM) is negligible (see https://github.com/claustromaniac/httpz/issues/13#issuecomment-488098354), and the difference in performance is almost non-existent.
@rusty-snake
does RSS respects PrivateBrowsing? If not it should be added IMHO
That is a good point. Currently, it ignores private browsing. I should either change that, or point it out. I'm inclined to just change the behavior. What do you guys think?
Madis0
commented
4 years ago I also felt it might have encouraged non-savvy users to clear the list every now and then, which to a great extent would have defeated the purpose of leaving the option enabled in the first place.
No matter the form, location or use, it is still a piece of browsing history, in unencrypted form, so it must be as easy as possible to delete it. Don't be like Chrome.
That would be a misleading statement
Fair enough. I was thinking more about Smart HTTPS, which seems to have larger latency difference.
That is not technically true, or at least can be misinterpreted.
You still only defend against one method of MitM, though.
That is (or at least I hoped it to be) implied in the first line of the description
I think it is worth emphasizing per my first argument above.
Where is the warning though?
I thought of the rephrased paragraph as the warning, which would not need to be red now.
For them, I think this is a pretty good feature, because the amount of memory it uses up (both physical and RAM) is negligible (see #13 (comment)), and the difference in performance is almost non-existent.
Well, it is fine to be opt-out if it is described in the extension description, but even non-careful users might want to prevent their browsing history leakage. Because it is currently a small checkbox with not even the clear button next to it, users could forget it easily but get unexpectedly reminded later (e.g. antivirus checking files and showing contents, a device-wide search finding a key phrase, synced files etc).
Currently, it ignores private browsing. I should either change that, or point it out. I'm inclined to just change the behavior. What do you guys think?
I'd suggest another checkbox for opt-in, as some users may disable global browsing history but still want to get benefit from this.
claustromaniac
commented
4 years ago No matter the form, location or use, it is still a piece of browsing history, in unencrypted form, so it must be as easy as possible to delete it.
Clearing it is still easy, just no longer as easy to do by accident. If you don't believe me, see what happens when you uncheck the checkbox. I mean it: go to the options page, tick the checkbox if it is not already ticked in your setup, and untick it again.
Also, any user that is so concerned about saving that unencrypted information (which is, just for your information, not saved in plaintext but in its own SQLite database), is expected to disable the feature altogether. All it takes is to uncheck a checkbox, and that information is no longer stored anywhere. Ever. It can't get much easier than that.
Don't be like Chrome.
That would be a good motto in general. Even better: Don't be like Google. However, I don't think comparing HTTPZ to Chrome is fair, for many reasons.
You still only defend against one method of MitM, though.
The one method relevant to this extension, and within its reach to thwart.
I think it is worth emphasizing per my first argument above.
I'm OK with that.
I thought of the rephrased paragraph as the warning, which would not need to be red now.
What if a user does not know (and does not care to learn) what MitM attacks are? What if he only understands the downsides of leaving the feature enabled? I wouldn't want to add 10 lines of text in an attempt to teach those concepts to such a user. In contrast, what do users such as yourself lose if I leave that short warning in?
I'd suggest another checkbox for opt-in, as some users may disable global browsing history but still want to get benefit from this.
This feature does not rely on browsing history. It only records the hostname for any given secure site once (as in scheme://hostname/path/path/?searchQuery#hash). All the list contains is unique hostnames, nothing else.
claustromaniac
commented
4 years ago I think I would feel more comfortable removing that warning after implementing #39, because it would be implied that editing those settings is not recommended for everyone.
I didn't decide what options will go there yet, but this one is a good candidate.
rusty-snake
commented
4 years ago What do you guys think?
As you and @Madis0 already say, not writing to disk in PB is a good default. A in memory list and read-only of the from the disk is fine. Adding an opt-in is maybe also interesting if browser.privatebrowsing.autostart = true and a user want this protection.
claustromaniac
commented
4 years ago Here's a different idea:
Instead of a separate opt-in specifically for Remember Secure Sites, I'm thinking of adding a global option for honoring Private Browsing that also applies to the ignore list...
Objections? Opinions?
Madis0
commented
4 years ago How about honoring PB always and adding an option to use RAM/permanent for normal windows? That way the users would still have the benefits as long as their session is open.
claustromaniac
commented
4 years ago Sorry, I don't understand how that is different from what I proposed (other than the phrasing). Care to elaborate?
Madis0
commented
4 years ago Private mode/private window always uses RAM, normal windows have an option to use RAM or permanent storage. No no-store option this time.
claustromaniac
commented
4 years ago OK, I think I get it now. I think what you're saying would be easier to implement, and maybe it would be easier to understand for end-users (because it would simplify things for them, but I'm just guessing), but it would not cover the use case mentioned by @rusty-snake (i.e. some users may want to browse in PB all the time but still save some of this extension's data to disk).
claustromaniac
commented
4 years ago Just FYI, I implemented the aforementioned option for honoring private browsing in 0.11.0b3, but I still need to do some good testing. I also reworded the description for "Remember Secure Sites", among many other thingies.
claustromaniac
commented
4 years ago @Madis0 and @rusty-snake,
Thank you for the suggestions 🐱
"Remember Secure Sites" has a warning
So what is so bad about it? To me it just seems like speed/storage (privacy) balance: either skip if URL matches a blacklist or retry every time.
Surely it helps when the user is actively being MITMed, but how likely is that?