HTTPS Everywhere alone or with HTTP Finder?

[Amit]

Hi,

Should I use HTTPS Everywhere alone or should I also use HTTP Finder?

Best Wishes,
ams963

[m00nbl00d]

Does HTTPS Everywhere allow to automatically search for websites supporting HTTPS, and also create the rules? If yes, then no need for HTTP Finder; otherwise, you may want to use them both, unless you're OK with creating the rules manually (if that's how it works; that's how it works in Chrome... ).

[Amit]

Quote:

Originally Posted by m00nbl00d

Does HTTPS Everywhere allow to automatically search for websites supporting HTTPS, and also create the rules? If yes, then no need for HTTP Finder; otherwise, you may want to use them both, unless you're OK with creating the rules manually (if that's how it works; that's how it works in Chrome... ).

then I guess I must use them both......thx a lot

[JackReacher]

I use both, HTTPS everywhere doesn't make it very easy to create new rules but HTTPS finder can break some sites if "automatically enforce HTTPS" is enabled. I have found the perfect compromise to be: Use HTTPS Everywhere in conjunction with HTTPS Finder, But turn off the "automatically enforce HTTPS." In this way, you can use HTTPS everywhere for known HTTPS enabled sites and use HTTPS finder to manually test new sites, once you test them, you can create a HTTPS Everywhere rule easily.

[Lyx]

Quote:

Originally Posted by ams963

Hi,

Should I use HTTPS Everywhere alone or should I also use HTTP Finder?

Best Wishes,
ams963

HttpsEverywhere and Https Finder have different objective,s and are very complementary each others.

0) The main purpose of HttpsEverywhere is not to discover which site are accepting SSL connections. Its main purpose consists in applying SSL rule in order you automatically connects through SSL to any sites belonging to the (ever growing) HttpsEverywhere's database. But HttpsEverywhere in itself doen't fill this db.

1) Https Finder often, (but not always) detects when the site you are visiting accepts SSL connection (few false negative and, it seems, no false positive).

2) When Https Finder detects an SSL connection is possible, it asks you whether or not you want to continue visiting this site through SSL, and whether or not you want to put a SSL rule in the HttpsEverywhere database concerning this site.

3) Notice that for points 0) and 2) you could use noscript instead (option -> advanced -> Https-> behavior). But the couple HttpsEverywhere + HttpsFinder is more convenient.

I don't know nevertheless which is better in security point of view: : HttpsEverywhere (+ Https Finder companion) or Noscript. Thanks to those able to illuminate me concerning this point.

[Amit]

Quote:

Originally Posted by JackReacher

I use both, HTTPS everywhere doesn't make it very easy to create new rules but HTTPS finder can break some sites if "automatically enforce HTTPS" is enabled. I have found the perfect compromise to be: Use HTTPS Everywhere in conjunction with HTTPS Finder, But turn off the "automatically enforce HTTPS." In this way, you can use HTTPS everywhere for known HTTPS enabled sites and use HTTPS finder to manually test new sites, once you test them, you can create a HTTPS Everywhere rule easily.

Thank you very much. I have left HTTPS Finder at default settings.

[Amit]

Quote:

Originally Posted by Lyx

HttpsEverywhere and Https Finder have different objective,s and are very complementary each others.

0) The main purpose of HttpsEverywhere is not to discover which site are accepting SSL connections. Its main purpose consists in applying SSL rule in order you automatically connects through SSL to any sites belonging to the (ever growing) HttpsEverywhere's database. But HttpsEverywhere in itself doen't fill this db.

1) Https Finder often, (but not always) detects when the site you are visiting accepts SSL connection (few false negative and, it seems, no false positive).

2) When Https Finder detects an SSL connection is possible, it asks you whether or not you want to continue visiting this site through SSL, and whether or not you want to put a SSL rule in the HttpsEverywhere database concerning this site.

3) Notice that for points 0) and 2) you could use noscript instead (option -> advanced -> Https-> behavior). But the couple HttpsEverywhere + HttpsFinder is more convenient.

I don't know nevertheless which is better in security point of view: : HttpsEverywhere (+ Https Finder companion) or Noscript. Thanks to those able to illuminate me concerning this point.

Thank you for the detailed explanation. I use both HTTPS Everwhere + HTTPS Finder combo and NoScript together.

One inconvenience is every time HTTPS Finder puts a rule in the HTTPS Everywhere database it prompts to restart Firefox. I mean if I want to keep visiting a thousand websites through an SSL connection then I have to restart Firefox a thousand times for example.

Also, should I use SSL Observatory in HTTPS Everywhere?

[JackReacher]

Quote:

Originally Posted by ams963

Also, should I use SSL Observatory in HTTPS Everywhere?

It looks to me like it was designed with Tor in mind where MITM attacks are more likely. If it looks like a feature you could benefit from I don't see a reason why you shouldn't use it, the EFF is a very trustworthy organization.

[Amit]

Quote:

Originally Posted by JackReacher

It looks to me like it was designed with Tor in mind where MITM attacks are more likely. If it looks like a feature you could benefit from I don't see a reason why you shouldn't use it, the EFF is a very trustworthy organization.

Thanks. Done!

[mag1c]

Can you guys point me to the website's for these plugins please?
HTTPS Everywhere etc...

I already have no-script /adblock plus anything else would be good.

Thank you

[Hungry Man]

https://www.eff.org/https-everywhere

[hashed]

I can see I am a little late to the party on this one, but I use both, and as others have said the HTTP finder is a great compliment to HTTPS Everywhere, especially if you don't like scripting exceptions

~h

[chronomatic]

I use both, but more important than using SSL is actually verifying that there is no MiTM attack. The SSL model is broken right now (CA's cannot be trusted whatsoever -- I could list many examples of breaches). Thus, I recommend another plugin to add to your arsenal called convergence. It attempts to solve the SSL problem by taking the trust away from the CA's and directly into the user's hands.

[hashed]

Quote:

Originally Posted by chronomatic

I use both, but more important than using SSL is actually verifying that there is no MiTM attack. The SSL model is broken right now (CA's cannot be trusted whatsoever -- I could list many examples of breaches). Thus, I recommend another plugin to add to your arsenal called convergence. It attempts to solve the SSL problem by taking the trust away from the CA's and directly into the user's hands.

Thanks very much, this looks similar to a WOT (Web of Trust) concept I will definitely check it out.

~h