Https-everywhere: [query] Is EASE by default a good idea?

No, nothing that breaks a significant number of sites is a good default option.

I run EASE by default as well.

A small caveat to keep in mind is that it might make your fingerprint slightly more unique. The browsing pattern of someone running EASE differs quite a lot from someone running the default mode of HTTPS Everywhere (which itself is pretty easy to differentiate from a browser without HTTPS Everywhere).

EASE also sends an additional (and slightly unusual) HTTP header to fix active mixed content issues wherever possible, which increase your uniqueness.

I don't think this is a significant issue for most threat models but it's good to know it.

@Bisaloo I actually wanted Tor Browser to set EASE by default if you set security slider to "Safest" or possibly even to "Safer". I'm not sure if that's a good idea now, since it would break a lot of websites and make users disable HTTPS Everywhere or add exclusions, which would ultimately hurt them.

@pipboy96 @Bisaloo Thanks for the feedback. Can you give me an example of a broken site? I haven't encountered one, although I'm guessing my browsing habits are narrow.

Regarding exclusions, I wondered how that worked. If I visit http://internetbadguys.com and click through the warning and accept "Disable HTTPS Everywhere on this site?" how long does that exception persist?

I also have some potential feedback on a simpler warning, but I guess that belongs in a separate ticket :D

@david-libremone

http://httpforever.com/
http://neverssl.com/

😁

Trolling aside, there are websites that have different URLs for HTTP and HTTPS, websites that still do not support HTTPS, websites that support HTTPS but have severe mixed content issues, and for each of them you would have to disable HTTPS Everywhere completely if EASE is on (instead of relying on rulesets to upgrade what can be upgraded).

I am considering enabling EASE by default on machines I install. Are there any caveats I should bear in mind?

I can't speak to the project default, but I have been enabling EASE on all machines I configure. I have received no complaints from users, and observed them interact with the interstitial as expected (review choice, make a decision to proceed or back off). My assumption is that they treat it as a browser feature.

For future reference, there is one legitimate use case where EASE can be annoying (but you can whitelist it): captive portal detection. Firefox for example will use http://detectportal.firefox.com/ (always plain HTTP).