oss-sec mailing list archives
Browser Security Tool: HTTPS Only (Why, How, Open Source, Python)
From: David Leo <httpsonly.github.io () gmail com>
Date: Sun, 14 Feb 2016 22:07:21 -0500
(@moderators The original post was too brief. This one has details.) Summary This tool completely locks browser - just HTTPS, nothing else. This tool is extremely simple - less than 100 lines of code(Python and JavaScript). Why Firefox Add-on Firesheep Brings Hacking to the Masses http://www.pcworld.com/article/208727/Firesheep_Brings_Hacking_to_the_Masses.html "Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic" (Quite a while ago, it's become a "casual game") Yes, Mozilla said, "Gradually phasing out access to browser features for non-secure websites", in April 2015. After more than six months, they have done nothing useful. The Chrome team wanted the same stuff: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure Again, nothing significant has been achieved yet. And there is HTTPS Everywhere, with SO MANY rules: https://www.eff.org/https-everywhere/atlas/ It's still able to access HTTP by default, but there is "Block all HTTP requests". The problem: nothing happens when browser tries HTTP - there should be warning(it's incorrect behavior) and options(try HTTPS, Google Cache, etc). People complained, months ago: https://github.com/EFForg/https-everywhere/issues/1329 How PAC(Proxy auto-config) is used: If it's HTTPS, that's fine. If it's HTTP, user gets warning and options(try HTTPS, Google Cache - it has HTTPS, etc). Anything else, it goes to 0.0.0.0 It's a simple tool that does one job, and does it very well. URLs https://httpsonly.github.io/ https://github.com/httpsonly/httpsonly Best Wishes,
Current thread:
- Browser Security Tool: HTTPS Only (Why, How, Open Source, Python) David Leo (Feb 15)
- Re: Browser Security Tool: HTTPS Only (Why, How, Open Source, Python) Solar Designer (Feb 15)
- Re: Browser Security Tool: HTTPS Only (Why, How, Open Source, Python) gremlin (Feb 15)
- Re: Browser Security Tool: HTTPS Only (Why, How, Open Source, Python) David Leo (Feb 17)