Is it wise to use HTTPS Everywhere or is it a dumb meme?
>>52045066
>is encryption just a meme?
ffs, this place is getting worse.
How can something even force HTTPS anyway?
Like, if you send secure information from your side, wouldn't the websites server need to be set up to handle it?
>I know shit about networking
>>52045094
It doesn't 'force' https it just keeps a ruleset of which sites have https built in and if it notices you're on one it redirects you to the https version
>>52045118
Why would a website with HTTPS enabled ever use unsecured HTTP
>>52045089
welcome to /g/, enjoy your stay.
home to indians and 10 year olds
>>52045094
>I know shit about networking
obviously not since you don't even know about "HTTPS Everywhere " especially considering who it was made by...
>>52045126
many sites still do this.
>I have no idea why
The only thing I can think of, is to redirect traffic from port 80 to port 443. This is what I currently do but I do it on an apache level.
i.e. apache has a 301 rule on my non http site that redirects users to the https site.
But I don't have a non-https site that people can access and view
>>52045094
Yes.
Just changing http to https would not always work.
But a lot of sites have both options and the server does not allways automatically chose https for you.
>>52045089
Ree
>>52045126
Higher overhead.
If you have a dynamic site with lots of little elements, ssl handshaking can increase load times and server load if its left as a default-on, even if you cache aggressively.
most sites don't really need it always-on, it's only good when sending confidential information.
>>52045202
but not everything needs to be loaded using ssl.
A lot of sites don't load images or external content via https because of that reason
>>52045089
It's been on a downward spiral for the past few years, and it's getting worse by the day.
>>52045202
>most sites don't really need it always-on, it's only good when sending confidential information.
Every website needs it always-on, if you respect the privacy of your users, you should have it.
>>52045213
Yep, you don't. The things you do decide to encrypt still adds latency.
It all depends on what content your site is serving and how much you value your users privacy.
>>52045253
It's not a legal requirement, if you don't want your data to be sent unencrypted, don't use the site.
it probably doesn't really matter
>>52045066
tinfoil hat syndrome
HTTPS Everywhere as a plugin/addon is a good thing.
Using HTTPS on all websites is retarded, especially with projects like Let's Encrypt. The problem is that protocol – HTTP – is broken. Throwing TLS/SSL on top is not a solution.
Certificates are meant to authorize that the party you are connecting to is trusted (read: paid for their cert). The question is, trusted by whom? There's a high possibility that most root certs are already compromised, most likely by NSA.
For most people HTTPS is just "a padlock next to url" and they think it's secure.
Preferably HTTP should be replaced by something new, secure and less invasive.
>>52045253
>>Every website needs it always-on, if you respect the privacy of your users, you should have it.
most sites' business model is not respecting the privacy of their users
>>52045484
okay m8, gr8 b8
>>52045156
Takes an extra few seconds for that redirect. I can see how some websites who care a lot performance might not want to sacrifice that time.
>>52045661
>>52045661
any idea on how to do that on a DNS level?
The problem with HTTPS everywhere is not that it's a meme its that it uses a shitton of RAM and also that most sites do default to HTTPS these days
>>52045202
Does HTTP/2 implementation also have that overhead? Cause I really don't see any impact, for example here http://http2demo.io
http/1.1 are served via plain http while http/2 server via https and i'm getting picrel on shitty machine.
>>52045677
DNS is not involved in it.
The biggest advantage http offers is the reduction of data by storing the traffic.
>>52045484
>There's a high possibility that most root certs are already compromised
A mitigating fact on this is in the works, in the form of Certificate Transparency.
https://crt.sh
Will show fraudulent certificates that are submitted to the CT log.
>>52046742
I would say by default, you should have HTTPS Everywhere and UBlock Origin. They're very useful and light on resources respectively.
I'd recommend Umatrix and Self Destructing cookies as well. PrivacyBadger is optional and Disconnect is no longer to be trusted.
If you MUST use flash, get Better Privacy.
>>52046837
To add to this, NoScript isn't bad, it's just largely replaced by Umatrix. I think it only has one or two abilities that Umatrix doesn't.
>>52046837
>Disconnect is no longer to be trusted
source?
>>52046837
why would i use privacy badger when i already have ublock origin, umatrix and self destructing cookies. with umatrix being a bit aggresive in its blocking. Is there something that privacy badger does that those 3 extensions dont?
