More secure defaults

[claustromaniac]

Related to #8

Here is what I'm thinking:

• flip the default state of the Automatic Mode to false
• add a button or checkbox to error.htm like don't show me these warnings again that, when pressed, shows a warning recommending users to leave the Automatic Mode off if they installed the extension recently or if they're connecting over an untrusted network (such as a wifi hotspot)
• add the same info to the options page for users that installed the extension prior to that update... maybe. I could even use an upboarding page for this but I feel like that would be overdoing it. I didn't make this extension to teach users how to use their heads after all...
  • alternatively, I could flip the Automatic Mode itself to false, not just the default state, but that would definitely annoy (and maybe even offend) a certain number of users. My peace of mind should not matter more than their personal preferences, at least not in this case. Then again, if it's a one-time thing, maybe they'll tolerate it.
• should also reword the option for remembering secure sites. Specifically, the last part, where it says Note that this is only meaningful in automatic mode. I should remove that statement and instead recommend users not to disable that option unless they understand the consequences.

[Madis0]

It seems a bit too early to do that without hampering the UX. You should wait for when major browsers mark HTTP as insecure by default (there are flags for it in Firefox and Chromium but defaults only mark pages with password/text fields, respectively)

As of now, I think of HTTPZ as a (potentially) better-coded alternative of Smart HTTPS as it doesn't require whitelists to work properly most of the time.
However, if automatic mode was disabled or not recommended by default, the extension would become niche (like NoScript) where it can only spread across "smart" users.

[claustromaniac]

I don't want to set the bar high either but, realistically, there is a lower bound because of the way the extension works. Since it's automatic, the user is expected to whitelist sites when necessary. There is no way around it. The alternative is to use HTTPS Everywhere. That's also part of the reason I didn't bother much making the documentation newbie-friendly, but I want to improve those aspects eventually.

Since I opened this issue I have considered some other ideas, and was planning to sit on this for some more time. Currently, I'm more inclined to just add onboarding and upboarding pages (the pages that open in separate tabs when the extension is installed/updated) presenting users with some basic information and recommending them to turn off the automatic mode, but I'll think some more about it.

I appreciate your input. Thank you.

[Madis0]

I don't want to set the bar high either but, realistically, there is a lower bound because of the way the extension works. Since it's automatic, the user is expected to whitelist sites when necessary. There is no way around it. The alternative is to use HTTPS Everywhere. That's also part of the reason I didn't bother much making the documentation newbie-friendly, but I want to improve those aspects eventually.

Well, there is still a difference in adding a single broken site to the whitelist vs getting warnings on every HTTP site.

I think of the automatic mode as a big reason why HTTPZ is "zmart" compared to other similar extensions like this one.

[claustromaniac]

Well, there is still a difference in adding a single broken site to the whitelist vs getting warnings on every HTTP site.

Sure. I was just trying to point out that no matter how low I try to set the bar, it will never be install-it-and-forget-it low (like HTTPS Everywhere), because HTTPZ requires user interaction sooner or later. Also, ideally, users should understand how the extension works well enough to make informed decisions when they set it up - that's what I'm trying to get at here - but I can't hope to teach infosec to full newbies either. So, finding the perfect balance between security and ease of use is a little harder than it seems.

[Madis0]

Now that Firefox marks HTTP insecure, this could be continued to be considered.

Also, ideally, users should understand how the extension works well enough to make informed decisions when they set it up - that's what I'm trying to get at here

I would now propose the #43 approach - a permanent button. This is the best way to explain to users what is happening to the current site.

E.g.

• HTTPZ did not change the connection because the user loaded it over HTTPS.
• HTTPZ did not change the connection because the site uses HSTS and you visited the site before.
• HTTPZ did not change the connection because the site is in browser's HSTS preload list.
• HTTPZ successfully changed the connection to HTTPS.
• HTTPZ tried using the connection over HTTPS, but failed due to error XYZ.
• HTTPZ did not attempt to use HTTPS on this site because it is added to the blacklist by the user.
• etc

[claustromaniac]

explain to users what is happening to the current site

That is beyond the scope of the extension.

It makes sense to inform users any given time HTTPZ does not have to do anything, but informing the precise reason requires additional unnecessary processing, and the extension would not even be able to detect some of those causes (like when another extension redirects the request to HTTPS: there is no way for an extension to know what any other extension is doing, except when the other extension is designed to report its own behavior). It would take additional code complexity that would not even necessarily stand the test of time well (= more maintenance). Not to mention that detecting some interactions would require more permissions.

[Madis0]

Fair enough, reporting only HTTPZ status would be fine too.