privacytools / privacytools.io

🛡🛠 You are being watched. Protect your privacy against global mass surveillance.
https://www.privacyguides.org
Creative Commons Zero v1.0 Universal
3.11k stars 384 forks source link

✨ Feature Suggestion | HTTPS Everywhere: recommend enabling EASE mode / CSP warning for Firefox webextensions #1292

Open Mikaela opened 5 years ago

Mikaela commented 5 years ago

I happened to notice that I was accessing some sites, even ones that have HTTPS and even on Brave getting, over HTTP.

HTTPS Everywhere has opt-in mode Encrypt All Sites Eligible that seems useful that we could potentially recommend enabling?

Screenshot from 2019-09-11 00-20-58

nitrohorse commented 5 years ago

Great idea! Also as reference, enabling EASE is a toggle:

httpseverywhere

Thorin-Oakenpants commented 5 years ago

This will use a CSP header injection that may or may not work: depending on your other extensions. Since web extensions, when two or more extensions use CSP header injection, only one will win: meaning the other extension(s) will fail to work as designed

some examples: some functions in : uBO, uMatrix, CanvasBlocker

Mikaela commented 5 years ago

Dawidpotocki mentioned that in team chat last night and I have two open questions about it:

https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1-Extensions

Edit: see also https://github.com/EFForg/https-everywhere/issues/17735 via ghacks-user.js/664 ? Edit2: related: https://github.com/EFForg/https-everywhere/issues/18194 but I don't think that one affects us.

Thorin-Oakenpants commented 5 years ago

Does this issue also affect Chromium

I don't think so: but I'm not an expert on chromium. See https://bugzilla.mozilla.org/show_bug.cgi?id=1462989#c20

gorhill:

... which actually explains why it works with Chromium

blacklight447 commented 5 years ago

maybe we can add this with a trade off warning? I can see quite a few people not using umatrix, and i think most of what canvas blocker does can also be done by turning on resist fingerprinting.

Zenithium commented 4 years ago

maybe we can add this with a trade off warning? I can see quite a few people not using umatrix, and i think most of what canvas blocker does can also be done by turning on resist fingerprinting.

Perhaps you could make an argument for uMatrix and Canvas Blocker, but not uBO. Most people are using uBO and uBO should have priority with CSP. I do not want to encourage undefined behavior with seeing which add-on wins the race. This is especially true in the case with NoScript since it could compromise user security.

ian-tedesco commented 4 years ago

How do you know which one wins then? I have uMatrix, uBlock O and HTTPS E, with EASE mode activated and uM on hard mode, if there's going to be a trade off warning then it should be explained a bit more on that, not simply, "One might win over the other, bye".

Thorin-Oakenpants commented 4 years ago

How do you know which one wins then? .... if there's going to be a trade off warning then it should be explained a bit more on that, not simply, "One might win over the other, bye".

There is no such simple answer as to which one wins. It depends on which order they were loaded by Firefox, and if an extension is updated, it is reloaded, potentially changing the order. Not to mention if a user toggles their extension on/off. Not everyone will get the same results, nor will their results always be consistent. To add to this mess, NoScript should win, because it uses a never ending loop of checking and retrying to make sure it does (just be glad no one else did this)

Feel free to write up a simple explanation for first time users

dngray commented 4 years ago

@Thorin-Oakenpants I have been thinking we might stop listing HTTPS-Everywhere or extensions like this and just instruct people to turn on Firefox 76 gets optional HTTPS-only mode (ghacks).

What are your thoughts on this? It would allow us to also easily close https://github.com/privacytoolsIO/privacytools.io/issues/1326

Thorin-Oakenpants commented 4 years ago

No, https-only-mode is not ready. Maybe it could be ready for ESR78

edit: we were discussing it at https://github.com/ghacksuserjs/ghacks-user.js/issues/932 if you want some more details

dngray commented 4 years ago

No, https-only-mode is not ready. Maybe it could be ready for ESR78

ty, we will keep that in mind.

dngray commented 4 years ago

No, https-only-mode is not ready. Maybe it could be ready for ESR78

Now that 78 is out have you any new thoughts on this?

Thorin-Oakenpants commented 4 years ago

it's nowhere near being ready: still experimental. They only just landed the ability today to use the UI to allow site exceptions (permanent or session only) see https://github.com/arkenfox/user.js/issues/1003#issuecomment-704413469

And then I'm not sure what happens with insecure downloads on secure sites (if you allow an exception and continue on) - I think downloads are treated as a separate item since they're user initiated - but IDK for sure: not deep dived it all (yet)

Also, read this -> https://github.com/arkenfox/user.js/issues/1032#issuecomment-704479070 <-- that's my story/experience - i.e HTTPS-E is fast becoming redundant (but note that I don't allow mixed content: active *and** passive)

dngray commented 4 years ago

They only just landed the ability today to use the UI to allow site exceptions (permanent or session only) see arkenfox/user.js#1003 (comment)

That was a concern is that if someone wanted to temporarily undo this setting, editing about:config is fiddly and annoying.

Maybe for the time being we should continue to recommend https-everywhere (fortunately functional on Fenix builds).

lynn-stephenson commented 4 years ago

I was conducting research on HTTPS Only today, so: First off there is no supplied UI for users, at least for the latest stable FF. Recommending HTTPS Everywhere is the best option until stable Firefox has a built in UI for HTTPS Only.

When HTTPS Only mode is enabled, only HTTPS connections are made on mixed content websites (from the testing I conducted via badssl.com), and non-HTTPS capable connections are simply dropped after attempting several times to connect via HTTPS. No data is sent via POST until the connection is secure, even after acknowledging the warning displayed to the user.

I have not tested all cases (e.g: downloads), but it appears that HTTPS Only works well, with the exception of providing UIs. I could only recommend it as defense in depth for advanced users.


With all of that said, I don't believe you should remove HTTPS Everywhere, especially if adversaries willing to serve you malicious payloads via intercepted non-secured HTTP traffic are part of your threat model.

Thorin-Oakenpants commented 4 years ago

With all of that said, I don't believe you should remove HTTPS Everywhere, especially if adversaries willing to serve you malicious payloads via intercepted non-secured HTTP traffic are part of your threat model

playing devils advocate: unless using EASE mode, HTTPS-E doesn't preclude that

That said, it certainly can't hurt, and the internet has a long way to go, and a very long tail. So yeah, keep it listed. But I think once HTTPS-only mode is done, that it's a more efficient and effective solution - but you need to think of ESR users, so at the earliest, you can't do anything for a year ESR78 is EOL... next ESR is ESR91 and the old one lives for three releases in tandem (4 week cycles) .. so when FF94 lands in about Oct 2021, you can revisit it

!remind me in 1 year :)

dngray commented 3 years ago

@Thorin-Oakenpants

Looks like this feature is now in stable Firefox with UI elements.

https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/

I think we could safely assume that it works stably now? We could put a note next to HTTPS-Everywhere that it is only necessary if you have an ESR version of Firefox, and link to that blog article as it is now a part of Firefox.

Thorin-Oakenpants commented 3 years ago

Or you could wait a month and see what happens with the outstanding bugs now it has a UI in stable, and more people will use it. Generally, it should be pretty good to go, but why put some of your readers through hell if say for example, latestsocialmedia craze broke, or lots of times they hit the www issue.. etc

I see on reddit, lots of people were pointing out that they didn't know how to make an exception permanent - so it needs work IMO

lynn-stephenson commented 3 years ago

Agreed. It was just released to the public, and should be given some time before being recommended over HTTPS Everywhere.

Thorin-Oakenpants commented 3 years ago

^^ these two

gary-host-laptop commented 3 years ago

Also I don't see the option to do this on mobile, so I'm guessing this is desktop only for now so HTTPS Everywhere still should be listed for such platform for now.

Mikaela commented 3 years ago

It looks like Arkenfox has enabled it. https://github.com/arkenfox/user.js/commit/91cbc1e09a15c2fb5ad151529712f4326a6b7308