[tor-bugs] #3971 [EFF-HTTPS Everywhere]: HTTPS-Everywhere does not encrypt all traffic from web site

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Sep 9 20:31:22 UTC 2011 

#3971: HTTPS-Everywhere does not encrypt all traffic from web site
----------------------------------+-----------------------------------------
 Reporter:  joyton                |          Owner:  pde
     Type:  defect                |         Status:  new
 Priority:  minor                 |      Milestone:     
Component:  EFF-HTTPS Everywhere  |        Version:     
 Keywords:                        |         Parent:     
   Points:                        |   Actualpoints:     
----------------------------------+-----------------------------------------

Comment(by joyton):

 Good day pde,

 It didn't dawn on me to break the ad requests like that, I'll give it a
 try. After I wrote the AdBlock Plus rules I found ABP does not really
 block the connection with the ad, it merely blocks the loading of the ad
 by Firefox. The way the ABP main dev explained it to me, is that ABP is a
 'cosmetic' add-on, not a security add-on, per se. ABP is meant to block
 loading of annoying ads by Firefox, not block connection to said annoying
 ad by Firefox. I can probably find the thread where he and I discussed
 this topic some months ago, if you're interested.

 So it seems like ABP is a no-go with respect to this ticket. That is, even
 with ABP filters in place HTTP (to ads host) is not blocked, the ads are
 merely not shown by Firefox, even though they are really still there. At
 least that is my understanding after contacting the ABP main dev. I could
 be ignorant though ... if so, please enlighten me.

 I'm not sure if it's even possible, but I think it would be useful to have
 some type of setting in HTTPS-Everywhere akin to "block any traffic that
 is not HTTPS for sites with rulesets". Such a global action would probably
 make HTTPS-Everywhere more secure, but may also break some sites by
 blocking connection to off-site hosted ads and images and such. Maybe a
 more fine grained approach would be better, that is, site-by-site setting,
 but there are so many sites in HTTPS-Everywhere a site-by-site setting may
 be a non-starter.

 These are just my (slightly) incoherent ramblings, those of someone who is
 not a computer whiz. Thus, please correct me where you see fit. Thanks.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3971#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list