[Pkg-mozext-maintainers] Handling of HTTPS Everywhere updates

[Paul Wise]

[Off debian-release since it is off-topic]
[Please CC me if you want me to read your mail]

On Wed, Jun 5, 2013 at 3:52 PM, Dmitry Smirnov wrote:

> I'm with you Paul as indeed separating volatile data and the plugin
> code makes perfect sense.

Separating the two into different packages would be even better.

> I doubt the importance of receiving frequent updates to
> "https-everywhere". Surely I do not visit most of the eleven thousand
> web sites covered by its rules and for small subset of those web sites
> that I visit I'm not sure if I would welcome any sudden and unexpected
> changes introduced by update.

If you someday decide to visit a random site that happens to have
https in place it would be best if you have the data installed with
it, know that https is available and only use it instead of http.

> There is a lovely "https-everywhere" companion plugin maintained by
> yours truly: "https-finder". It probes any web site for HTTPS and
> allows one to easily create a rule for "https-everywhere". So I can
> control whenever I want HTTPS by default on the sites that I visit
> often and for other web sites there is an automatic HTTPS detection
> which IMHO makes frequent updates to "https-everywhere" not that
> important as long as the latter is accompanied by "https-finder".

I've never been able to get this plugin to prompt me when https was
present. I didn't yet have time to diagnose this issue though.

Aside from that, it is vulnerable to network attackers blocking the
initial HTTPS probes that it sends.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise