Unfortunately there are still several sites that I use that don't have HTTPS (for example, thingiverse always warns me about http calls) so I can't restrict it without losing functionality on those sites

Mixed content is not safe, but you can use Firefox settings to prevent HTTP content fro being loaded on HTTPS sites.

The question is, do you choose to sacrifice security to make broken sites work, or do you block mixed content, breaking some sites to ensure security?

>>53221768
>The question is, do you choose to sacrifice security to make broken sites work, or do you block mixed content, breaking some sites to ensure security?
Actually I don't choose, I have not installed HTTPS Everywhere yet... I'm planning on what to do after I install.

https everywhere is placebo. first of all there is no difference between http and https. do you really think adding one little letter at the end is going to make things more "secure". get real.

>>53221768
>you can use Firefox settings to prevent HTTP content fro being loaded on HTTPS sites
How is that?

File: I don't give a shit.gif (2 MB, 800x450) Image search: [Google]

2 MB, 800x450

>>53222083

>>53222442
// JS, CSS, XHR, Frames
user_pref("security.mixed_content.block_active_content", true);
// Images
user_pref("security.mixed_content.block_display_content", true);

>>53222083
kek

I wonder if uMatrix is what you are looking for. HTTPS Everywhere is well worth using because, if possible, it will load HTTPS versions of sites by default and as you noted it has a strict mode option but this does break some sites.

uMatrix will at least let you police connections easier so if you have to use a site that needs some HTTP content you can limit where it gets it from. And just because you are allowing only HTTPS connections does not mean they are all good, ad networks are catching on to HTTPS as well now.

Honestly I would recommend using it anyways if you are concerned about security and privacy. Yes, it can be a bit more work to manage.

Also, if you are looking at using HTTPS as a way around people snooping on your traffic on a network you don't trust you are better off using a VPN to protect yourself.

Browsers already do mixed content blocking, so just leave the setting on the default. One day it will make sense to block all non-encrypted traffic, but not today.

>>53224008
>Also, if you are looking at using HTTPS as a way around people snooping on your traffic on a network you don't trust you are better off using a VPN to protect yourself.
No. No. Noooooo. You have to use *both*. https, with or without a VPN, is strictly better than http. If you use a VPN without encrypted connections to the endpoints, you are basically begging for content monitoring or injection, especially if it's a free VPN.

Don't get me wrong, I use a paid VPN (I constantly use university networks, that I don't want to see which sites I visit), but https is FAR more important than the VPN is for almost any threat model I can think of.

>wasting processing, power, time, energy, etc on simple sites that don't need encryption
Siiiiiiiiiiiiiiigh.

>>53224070
All sites need encryption. If the endpoint isn't verified, anyone between you and that endpoint can modify the page content to contain whatever the fuck they want. Say, maybe some malicious javascript. Jesus christ what did you people do during all of 2011 if it wasn't injecting images of dicks on everyone's traffic at the library or stealing facebook session cookies?

>>53224049
I was not at all suggesting using HTTP over HTTPS (assuming it's available for the sites you want) but that if you were on a guest network and trying to mask your traffic from them then a VPN is more useful than HTTPS is. Sure HTTPS masks the content but it does not mask what sites you are getting it from.

>>53224091
>what did you people do during all of 2011 if it wasn't injecting images of dicks on everyone's traffic at the library or stealing facebook session cookies
Not that.

>I agree with you, though.

>>53224101
You said
>you are better off using a VPN to protect yourself
Which is wrong. Protecting yourself from malicious content injection is always more important than protecting the root domain you are visiting. When could it possibly not be? Again, you can use both, but a VPN will not stop Steve in Bumfuck County from modifying the traffic between your VPN and the endpoint from adding a flash vuln to your page load. https, with or without a VPN, will.

>>53223133
Hm, and how can I deal if the site becomes broken?

>>53224140
Lets be realistic here, assuming you don't use some compromised VPN that is fucking around with your data what is the chance of somebody altering your data between the site you are visiting and your VPN endpoint?

The reality here is also that not everything on the internet is HTTPS yet, so simply not going to those sites or blocking all mixed content (and possibly breaking half-assed sites) is not always a viable solution. In this case stopping spying or intrusion by the local network owner or ISP, if that is your specific worry, is best fixed by a VPN. Even if you are using HTTPS only then a VPN further limits how much information a local network or ISP can glean from your activity.

So I still stand by IF local network trustworthiness is his biggest issue then a VPN might be a better solution than blocking all non-HTTPS content especially when that might not be viable anyways.

Again, I'm not discouraging the use of HTTPS but just recognizing that it does not work everywhere for everything.

>>53224008
>And just because you are allowing only HTTPS connections does not mean they are all good, ad networks are catching on to HTTPS as well now.
If the ads are the problem, it's easier to use AdBlock, don't?

>>53224367
uMatrix does a lot more than just ad blocking. Because you get to decide where sites are allowed to request content and what kind of content as well it can stop a lot more tracking activity.

One example is damn near every site has a FB like button or a Twitter share button that are normally content loaded from FB and Twitter hence they can see every single site you go to. Having fine grain control over this can be nice.

Unfortunately with CDNs becoming more and more common you often stumble across broken sites until you allow them to load stuff from their CND so while its a powerful tool it also takes more work than just an ad blocker.

>>53224016
>Browsers already do mixed content blocking
I don't believe that. Can you prove Firefox does?

>>53224476
>One example is damn near every site has a FB like button or a Twitter share button that are normally content loaded from FB and Twitter hence they can see every single site you go to.
>not using Privacy Badger for that
it just werks

>>53224530
Check this page, my Firefox blocks it partially.

https://about.downthemall.net/2.0/

>>53224616
Doesn't the social blocking list in UBO take care of this?

>>53224070

>>53222829

>>53224616
Has that gotten pretty good? I was using Policeman when it first launched and remember hearing the early versions were not that good. I eventually switched to uMatrix since Policeman is kill but completely forgot about Privacy Badger.

Still though, sometimes uMatrix "broken" sites are more useful than fully working ones. They put so much garbage on sites now that if you just want to read a few things on them you are much better off blocking almost everything.

File: from what.jpg (18 KB, 335x413) Image search: [Google]

18 KB, 335x413

>>53221605
>People who are against HTTPS, please, stay out of this thread because I simply don't care about your position. I have already read a lot of your arguments on other thread here, and was not convinced to use HTTP only

Who the fuck would be against https? Not even a privacyfag, mind you, but that's completely retarded.

script kiddies pls

>>53224091
Can you please stop feeding the trolls? I said on the opening post I don't want this discussion here:
>(People who are against HTTPS, please, stay out of this thread because I simply don't care about your position. I have already read a lot of your arguments on other thread here, and was not convinced to use HTTP only. Repeating the arguments will not help you on your purpose of convincing me.)
>>53221605

>>53224616
> using normie privacy software

fucktard. Go get some torrent links while blocking their ads with Adblock Plus and download them with uTorrent.

>>53224476
>One example is damn near every site has a FB like button or a Twitter share button that are normally content loaded from FB and Twitter hence they can see every single site you go to.
Yeah, I know. But I use the like button, and don't have a Twitter account. What I never use is the Facebook comments plugin. But, as it's less common than like buttons, I don't see a reason to mind blocking it.

>>53224719
NSA

>>53224616
>Its purpose is to block advertisements and tracking cookies that do not respect the Do Not Track setting in a user's web browser.
https://en.wikipedia.org/wiki/Privacy_Badger

But I don't even use Do Not Track...

>>53224998
Trusting anyone to honor Do Not Track seems silly, you are far better off enforcing it on your end.

>>53224998
>Do Not Track setting

Doesn't that make you stand out more? I'm using reverse psychology here, asking not to be tracked only would make me want to track you even more.

And you would feel safe while using that setting and won't suspect a thing.

>>53224621
Oh, right! I forgot about this. Thanks.

>>53225045
Think about it this way:
1. You do not enable DNT and every advertiser tracks everything they possibly can about you.
2. You enable DNT and most advertisers still track everything they possibly can about you.

Your line of reasoning seems to make sense at first, but it's not like they can track you /more/ by enabling the setting. They're already tracking everything they can about you. If they were looking for specific things, they can figure those things out without caring about whether you've enabled that setting or not. For example, if you're doing shady things, they already know you're visiting shady websites regardless of your DNT setting (Putting aside other methods of obfuscation)

>>53224664
What is UBO?

>>53225165
uBlock Origin.

>>53224719
See:
>>53224070

File: nistlogo_blue_print_1.jpg (153 KB, 643x284) Image search: [Google]

153 KB, 643x284

>>53221605

You can solve the problem by other means OP. Use an AES 256 bi-directional asymmetrically encrypted 0 knowledge VPN. And before you ask no, the shitty ones you can use for free will not do this for you. There are several paid options that work flawlessly however. You need to familiarize yourself with the following two documents.

http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf


>>53222083
>Are you serious dude..

HTTPS is certainly important to use, and I would argue that the vast majority of sites that you will encounter these days will use it. That said, look into network cryptography as this is a very cheap-effective method to secure your traffic, bypass regional content, evade bans, and effect a more secure browsing environment for your self.

>>53224858
I get torrents, and I use uTorrent. What is the problem?

File: this.png (374 KB, 1822x777) Image search: [Google]

374 KB, 1822x777

>>53225375
>>53225401
The problem is that you don't understand how P2P works.

http://computer.howstuffworks.com/bittorrent1.htm

Whenever you enter a swarm you are allowing both your ISP, Peers, and ultimately anyone you seed to know who you are, and what you are torrenting. I hope at this point you can understand why you wouldn't want that.

pic very related. You can look for yourself. When you start a torrent after you've connected, hit peers, and you will see what I am talking about. Pic very related.

This is why you use a good vpn.

>>53225031
I don't said I trust people will honor Do Not Track, I said I even request them to don't track. The Firefox Help wars this can damage my online experience.

>>53225513
Don't take tech advice from those that cannot formulate a sentence.

Nigger janitors

c'mon

>They do it for free

>>53225459
>your ISP
Technically not if you're using encryption, unless they're part of the swarm.

>>53226429
Let me elaborate, they can tell by the traffic that it is happening. When the DCMA request comes through on a client they will be cooperative; because they are legally obligated to; if/when they receive a subpoena. they will act. If you are using proper encryption they cannot prove it, that was the basis of the point.

>they do it for free

Nigger janitors

c'mon

>They do it for free

Allow text-based content that will never be illegal to post, under any circumstance anonymously (because it would be impossible).

Meaning, under those circumstances, One would forfeit the ability to post images or links (which eliminates the legality issue(s) completely) in response you stop being cucks and allow true anonymity.

Rule 14. the use of scrapers, bots, or other automated posting or downloading scripts is prohibited. Users may also not post from proxies, VPNs, or Tor exit nodes.

How easy that would be to do?
>very

Content must be controlled in certain mediums because of legality, but why not give the user the option.

text only = anonymity
image / links = how it is now

>>53226696
https://www.youtube.com/watch?v=6OEXDmcBoy0

>>53224101
No you need to use both https and vpn.
Because the vpn can be malicious aswell it's encrypted untill the endpoint of the vpn, now if you use http the attacker could easly inject into http traffic.
Vpns are not about privacy but only security if you own the hardware + access to the server.