Https-everywhere: BUG? or HELP?

Created on 12 May 2018 · 7Comments · Source: EFForg/https-everywhere

Hi!

First, thank you for HTTPSEverywhere (in short "HE").
Second, I don't know if I found a bug, or if it just my ignorance and I need help:

I am using Firefox 61 Beta (latest version). And I have "HE" with default settings.

When I go to http://economia.estadao.com.br/ , "HE" doesn't force the https version of this link (and it has one). "HE" just maintain the http version of this link. So, I decided to use at "HE" the "Block all unencrypted requests" option. Then, yes, it worked, "HE" forced the https version of this link. No problems here.

However, if I use the "Block all unencrypted requests" option, then naturally I can't use http websites. And the problem is that I tried to use the option "Add a rule to this site"... and it didn't work.

For example with: http://www.valor.com.br/
When a press "Add a rule to this site", in "Show advanced" I have:
Rule name: Manual rule for www.valor.com.br
Matching regex: ^http://www.valor.com.br/
Redirect to: https://www.valor.com.br/ (here I changed to http://www.valor.com.br/)
Then I entered "Add new rule for this site".

When I refresh http://www.valor.com.br, the page is still blocked. The rule appears at "HE" icon (menu bar). However, I didn't find my rule at "View All Rules".
I tried with lots of http links I know, and the same, after adding rule, the website is still blocked.

Is this a bug?
Or this is just my ignorance? (I apologize in advance if it my fault).

How do I whitelist http webpages, by using "Block all unencrypted requests" at the same time?

Thank you!

Source

Decopi

All 7 comments

Hey, I couldn't find the type of issue in your description. Can you edit your issue to add this (perhaps referring to the issue template?)

https-everywhere-bot[bot] on 12 May 2018

www.valor.com.br doesn't support HTTPS, I get: "Secure Connection Failed"

Giltyhub on 12 May 2018

👍1

Add rules only for websites that can be accessed with HTTPS

Giltyhub on 12 May 2018

👍1

Hi @Giltyhub , thanks for your answer.

Please, read again my previous post. I know www.valor.com.br is http. Again, I brief my problem:

Lot of webpages appearing as http, are https, and "HE" is not forcing https.
One example is: http://economia.estadao.com.br/.
So, in order to have these webpages forced to https, I had to use at "HE" the "Block all unencrypted requests" option. This solved http://economia.estadao.com.br/ and converted it to https.

Questions:

1) When the "Block all unencrypted requests" option is applied, how do I whitelist http webpages?

2) If I don't use "Block all unencrypted requests", how do I force https in lot of pages (like http://economia.estadao.com.br/) that appear as http? It is impossible to write a rule, because are hundred of webpages appearing as http and they are https.

3) What happens with that pages appearing http, are https, but I am not ware about that? I mean, how can I write a https rule, if the webpage appears http, and I don't know that is a https website?

Decopi on 12 May 2018

Hi @Decopi

You don't need to use the Block all unencrypted requests mode, just add a ruleset for http://economia.estadao.com.br/. Also the http(s) -> http rule won't bypass the block all unencrypted option.

See as well https://www.eff.org/https-everywhere/faq#why-use-a-whitelist-of-sites-that-support-https-why-cant-you-try-to-use-https-for-every-last-site-and-only-fall-back-to-http-if-it-isnt-available

When the "Block all unencrypted requests" option is applied, how do I whitelist http webpages?

You can't as far as I'm aware.

If I don't use "Block all unencrypted requests", how do I force https in lot of pages (like http://economia.estadao.com.br/) that appear as http? It is impossible to write a rule, because are hundred of webpages appearing as http and they are https.

Set "Add a rule to this site" for all those sites.
Open tickets in this github requesting the addition for some sites.

What happens with that pages appearing http, are https, but I am not ware about that? I mean, how can I write a https rule, if the webpage appears http, and I don't know that is a https website?

Well you just try the website with https:// and see if it works out.

Also you don't need to do all this work, there's always going to be HTTP only websites (in the near term, as there are long term efforts to deprecate entirely HTTP) and if you have HTTPS forced for a lot of sites (which is what HTTPS Everywhere does) then that's already great.

Giltyhub on 12 May 2018

👍1

OK @Giltyhub ... finally I understand. Thank you!

After you explanation, sadly I am going to uninstall "HE".

First, it not HTTPS everywhere... it is totally fake!
Websites appearing in HTTP but with HTTPS (like http://economia.estadao.com.br) are not forced by "HE" to appear HTTPS.

Second, "HE" inverted the logic!
At "HE" all webpages should be forced to HTTPS, and if it is not working, then an option to whitelisting HTTP should be available.
Sadly, and based on your explanation, "HE" did the opposite! Every webpage with HTTPS appearing with HTTP, I must add a rule... THIS IS CRAZY! Not to mention the case I presented in my previous comment, where I can be in a HTTPS webpage, but appears as HTTP, and I have not idea that is HTTPS. In this case, I never will be able to add a rule! And I browse hundred of webpages everyday... it will be crazy to add a rule for each HTTPS appearing HTTP. I never will check hundred of webpages everyday. Crazy!

"HE" is a totally overrated extension.
That is the end of the road for me.

Thank you again @Giltyhub !

Decopi on 13 May 2018

@Decopi i understand your frustration but it's impossible for https-everywhere to do the things you mentioned without being immune to many attacks, see the faq

Giltyhub on 26 May 2018

Was this page helpful?

0 / 5 - 0 ratings