We have moved to a new Sailfish OS Forum. Please start new discussions there.
70

HTTPS Everywhere support in browser

asked 2014-02-05 11:58:12 +0200

updated 2014-02-06 20:06:40 +0200

EFF has a very nice privacy enhancing add-on for Firefox/Chrome that forces the browser to use encrypted connections whenever they are available, https://www.eff.org/https-everywhere.

Having this as a standard option (of course, selectable by the user in the Settings menu) in the Sailfish browser would be an excellent way to differentiate from those not-so-privacy-friendly competing mobile operating systems. Shouldn't be that hard to have as a normal add-on either (related to question https://together.jolla.com/question/901/proposal-add-support-for-mobile-firefox-add-ons-to-the-sailfish-browser/ )

Manual install (seems to make browsing somewhat wonky including > 100% CPU usage for the browser and links not always working at all):

Blockquote

<em:targetApplication>
  <Description>
<em:id>toolkit@mozilla.org</em:id>
    <em:minVersion>17.0</em:minVersion>
    <em:maxVersion>28.0</em:maxVersion>
  </Description>
</em:targetApplication>

Couldn't find the correct GUID for the sailfish browser, but toolkit@mozilla.org seems to be a wildcard of some sort). Complains it's not compatible with "Nightly 23.0" otherwise

edit retag flag offensive close delete

Comments

Is it possible to install the addon to the browser currently? Does the regular or the android version work in Sailfish browser?

vasavr ( 2014-02-06 01:52:01 +0200 )edit

i have yet to test on sailfish, but on firefox 27 for Android https everywhere works well. What FF version is sailfish browser code based on ?

c.la ( 2014-02-06 11:54:48 +0200 )edit

Mozembed based on Firefox 26. With some trickery some addons from addons.mozilla.org apparently work (long click/open in new tab), which wouldn't work here. unzip and register manually, maybe...

pekkap ( 2014-02-06 12:22:52 +0200 )edit

So 4.0development.15 doesnt work? I wonder how the stable branch or the Android version work.

It is said on their changelog that the Android version provides "Major UI changes for mobile compatibility":

https://www.eff.org/files/Changelog.txt

vasavr ( 2014-02-06 17:10:39 +0200 )edit

Installed 3.5android.0 and I can confirm the add-on works.

vasavr ( 2014-02-12 09:27:53 +0200 )edit

1 Answer

Sort by » oldest newest most voted
6

answered 2014-02-06 22:47:48 +0200

Shnatsel gravatar image

updated 2014-02-15 15:33:19 +0200

Forced HTTPS is indeed an important thing to have because otherwise you can be easily targeted by attacks such as SSLstrip. However, in my experience not all rules in "HTTPS Everywhere" work properly; there's a number of rules that break websites. For example, pastebin.com only provides HTTPS as a paid service but "HTTPS Everywhere" tries to enforce it anyway, and the result is a blank page.

Another open-source Firefox addon that implements forced HTTPS is "Disconnect"; I'm yet to see it break a website after several months of usage. I imagine its lists are not as complete as EFF's, but hey, it doesn't break anything! So if we're adding that, I'd better go with the Disconnect ruleset.

Update:Disconnect now directs desktop users to using HTTPS Everywhere; they are going to introduce the feature on mobile platforms now. Interesting. (source: https://blog.disconnect.me/secure-wi-fi-removed-on-desktop-coming-soon-to-mobile)

edit flag offensive delete publish link more

Comments

Yep, seems they have disabled the pastebin rule as "buggy", but I can see your point. Not advocating anything like this should be on by default for exactly that reason.

Oh, at least "Facebook disconnect" in addition to removing a bunch of tracking cruft (good, unless you want to "Like" news articles, and let FB know what you're reading outside the service), makes it impossible to do micropayments in those stupid, insanely popular FB games :-)

pekkap ( 2014-02-07 10:21:57 +0200 )edit

I'd rather have HTTPS Everywhere as I can trust the sources, I can contribute there myself, and it only does enforcing HTTPS, which is the point here. And its definitely more comprehensive than anything else out there.

Do keep in mind Adblock and many other addons may break sites as well, but its no reason we shouldnt have the possibility of using them.

Also, I dont believe Disconnect would be suitable for use anyway, it's Firefox version is very buggy and its a huge resource hog.

vasavr ( 2014-02-07 18:53:00 +0200 )edit

And as said, the pastebin ruleset is disabled as buggy, so it is a non-issue:

https://www.eff.org/https-everywhere/atlas/domains/pastebin.com.html

With HTTPS Everywhere we can at least start with the fact there's already a mobile version and it works, albeit not well apparently.

Edit: Seems like someone here has already tried installing Disconnect to the browser and it doesnt work:

https://together.jolla.com/question/901/proposal-add-support-for-mobile-firefox-add-ons-to-the-sailfish-browser/#post-id-18072

vasavr ( 2014-02-07 19:08:25 +0200 )edit
Login/Signup to Answer

Question tools

Follow
9 followers

Stats

Asked: 2014-02-05 11:58:12 +0200

Seen: 904 times

Last updated: Feb 15 '14