Some here use HTTPS Everywhere.
Some avast users do not, because avast does deep scans into http,
and so on https you miss some of that accurate avast malweb protection.
I think to know that DavidR does not enforce HTTPS on http websites for this particular reason.
Correct me if I am wrong.
Anyway it is good to use the atlas to see what mixed content could be considered insecure and is rewritten.
Of course NoScript and RequestPolicy extensions could also help greatly to keep such insecurities at bay.
Like to hear your opinion or get your feedback, my dear forum users…
Thanks Polonus.
I use ‘https everywhere’ and have read similar information.
I view it as an either/or situation. Possibly good in some situations and not in others.
But this is just a comment from someone who is not an expert on such matters.
Thanks for your contributions - schmidthouse and bob3160. What I like about such threads like this one is that users can make up their own point of view. The pro’s and contras can be clearly defined and lined up and one could decide. The https protocol can be a secure one as such, but the mix of secure and insecure content could mean a disadvantage. In that case the http protocol secured is an alternative to be preferred. With pre-scanning, various web rep guideline add-ons, script blocking, the blocking of third party (suspicious or malicious) requests, the added protection of both avast! Web- and Network Shields, google safebrowsing, Malware Script Detector and firekeeper (with recent Malware Patrol - Block List - http://www.malwarepatrol.net # List for FireKeeper enabled) and on top the protection of Exploit Shield 0.9.1. I am quite confident I can steer away from harm that could originate from http sites,
I don’t think it is good in any situation, if a site is set to use https then fine, but forcing it everywhere is crazy as you have totally disabled the web shields protection.
That is clear and I cannot but agree with you on these very points. Why degrade the https protocol to sites where it never was meant to be implemented?
And more important avast! shield detection is a main security feature and has saved many a user from getting into contact with malcode by blocking malicious website URIs or block connecting out to certain infested IPs.
So enforcing https where it should not be done is an overreaction to say the least,
We could take this a step further even. Would you agree when we state that HTTPS Everywhere could mean a clear security risk that should not be taken lightly - a lot of “bogus” HTTPS feel of security which actually as we look into the real protection of it could be termed as “Snake Oil Security”?
I have said the only circumstance where https should be used is for sites that are specifically set up to use https, banking, logon, etc. Under no circumstances do I believe regular http sites should be forced to use https as it degrades the avast protection.
What Kill Evil does is to remove or disable the following annoyances on all pages (except those you whitelist):
oncontextmenu (aka “HOW DO I DISABLED RIGHT CLICK”)
window.print (for “print version” pages that assume you actually want to kill some trees and interrupt you with a dialog)
getSelection and onselectstart/onmousedown (pages that attempt to prevent copying, pop up “definition” links, or even send back everything you select to a tracking server)
oncut/copy/paste (another way pages can try to interfere with your clipboard)
window move/resize functions (no one else should be able to dictate the geometry of your window)
the TARGET attribute on links to open a new tab (I feel very strongly about this one: if I want a new tab, I will click with the middle mouse button or use the context menu. Otherwise, I will not.)
More things if I think of them later/you suggest them
Remember to whitelist sites it may be able to cripple…
Thanks for the link to ScriptSafe. There has been so much here on the forums that added to my security awareness.
Really amazing, and we learn here every day as this is an ongoing security education,
What I like about ScriptSafe is the easy handling.
Your preferred settings are at once synced for all of you google environment…
The more you think here, the more you realize what an absurd idea HTTPS Everywhere actually is.
Also falls into the realm of false security through obscure HTTPS security settings…
You are welcome and that is what a good discussion in a thread here should lead to that is → “gained insight”.
That is why I still hang out here after all these 8 years.
And it is not only others, you also will educate yourself where security issues are concerned.
Conclusion:
As we stand on each other’s shoulders we see more and learn to see more…
What is also neat from ScriptSafe is the RATING on “API dot MyWot dot com” bringing up the WOT results for a blocked resource link.
Very heplfull. HTTPS Everywhere is blurring the access to such info…
