HTTPS EVERYWHERE IS A BOTNET

Why not?

>to enforce https connections.
smart https is better. It does it on the fly without needing a packaged whitelist (which is a retarded concept to begin with)

Smart HTTPS will add sites to its blacklist if you can't connect to them because your internet is down. It's shit.

>whitelist inside
whitelist in the form an sqlite db full of regexes even

the definition of overengineering

if only you could edit the blacklist..
.oh wait!

still better than an overbloated whitelist approach

>enforce HTTPS connections
Are you legitimately retarded? What this extension does is the equivalent of typing https instead of http in the title bar when you're visiting a site that doesn't take security seriously and just generally doesn't give a fuck about encryption.

Any site that actually has strong security uses HSTS and HTTP 301 so you literally don't get a choice between HTTP and HTTPS.

Wow, I get to manually manage my blacklist instead of having a whitelist managed by someone else!

>Sup Forums doesnt take security seriously
what happened bros?

Why the hell would an anonymous website without registration care about MITM?

what kind of dumb cancer thread is this? it's a fucking addon that enforces https connections where available

the telemetry shit is opt-in. what is the problem?

>trusting strangers over yourself
>too lazy to change one line which usually never needs attention unless your internet goes out

There's no need for it anymore.

Sites if they have https they use HSTS/HTTP 301 to autoswitch to https even if you type http

>smart https is better. It does it on the fly without needing a packaged whitelist (which is a retarded concept to begin with)
No, it is not. Attempting https connection on sites that don't support it in the best case slows down your attempted connection and allows for better fingerprinting, in the worst case scenario allows for session hijacking. Moreover, you may add more sites on your own or suggest them to be included. So, yeah, you're the one retarded in here.
>Are you legitimately retarded? What this extension does is the equivalent of typing https instead of http in the title bar when you're visiting a site that doesn't take security seriously and just generally doesn't give a fuck about encryption.
>Any site that actually has strong security uses HSTS and HTTP 301 so you literally don't get a choice between HTTP and HTTPS.
There are a ton of misconfigured sites and a ton of unsafe CSR; moreover, HSTS are still an exception and 301 redirections are not universal. So, yeah, you're the one retarded in here.

They would be able to associate your posts with your IP address

its to prevent snooping. I dont want my isp to see what threads im in or what i post

What do you mean "trust"? The worst that could possibly happen is HTTPS Everywhere breaking a website, which Smart HTTPS will do far more often on its own.

Sup Forums doesnt auto switch to https

Sup Forums is a shit site. From a technical point of view.

>There are a ton of misconfigured sites and a ton of unsafe CSR; moreover, HSTS are still an exception and 301 redirections are not universal. So, yeah, you're the one retarded in here.
Am I the one visiting insecure sites with a placebo extension? I didn't think so. You just torpedoed yourself. You made yourself appear irredeemably retarded about security, and I expected nothing less. Nobody but a complete retard would use this extension.

Your ISP doesn't give a fuck, and your posts aren't interesting. If they were "interesting" enough to warrant avoiding "snooping", then you'd need tor or another anonymizing network.

Any automatic HTTPS extension is obsolete, it’s not 2010 anymore more than half the web uses encryption and much of it is mandatory. The fact is an automatic HTTPS extension teaches bad habits like an encrypted website is safe when phishing sites use encryption now. I just can’t rely on these extensions anymore

I don't see the opt-in opt-out anywhere in the extension options, not sure what the heck you guys are talking about.

>You're a pedo because you care about unsafe CSR; moreover you don't know shit about security if you enforce https on sites well-known to adopt https

We're done here. Nothing can bypass Dunning-Kruger.

>Your ISP doesn't give a fuck, and your posts aren't interesting. If they were "interesting" enough to warrant avoiding "snooping", then you'd need tor or another anonymizing network.
thats not the point asshole

>No, it is not. Attempting https connection on sites that don't support it in the best case slows down your attempted connection and allows for better fingerprinting, in the worst case scenario allows for session hijacking. Moreover, you may add more sites on your own or suggest them to be included. So, yeah, you're the one retarded in here.
From which part of my post exactly did you understand me saying that switching to https is bad?

What I said is that using a pre-made whitelist approach to switch to https is bad. An addon that just tries to switch ANY connection to https is much more performant, scalable, and up-to-date.

The decentralized observatory has been totally removed in the new webextension since the new API doesn't support it. See github.com/EFForg/https-everywhere/issues/7389

TL;DR you're in a fake news thread.

Or how about you just change it yourself if it doesn’t auto https

>From which part of my post exactly did you understand me saying that switching to https is bad?
Never implied you suggested anything like that.
>An addon that just tries to switch ANY connection to https is much more performant, scalable, and up-to-date.
No, it's not, and it seems you can't read.

I didn't say anything of that sort, you're projecting your own thoughts on me (I had no idea nor did I ever think for a second that you were a pedo). You're visiting insecure sites with a placebo extension thinking they are secure.

You're also pretending to be hiding from snooping using SSL which is not a barrier to any determined snooper. The purpose of SSL is to avoid harvesting of plaintext passwords by MITM attacks, not to avoid 1984 from seeing what you post on Sup Forums. Any site that supports SSL at all, usually at least SSLs the login even if rest of the site is non-SSL. Which means that the purpose of SSL is fulfilled.

Please for the love of god, stop being horrendously retarded about security you know nothing about.

>Any automatic HTTPS extension is obsolete, it’s not 2010 anymore more than half the web uses encryption and much of it is mandatory.
statements are proven wrong by counterexamples

Sup Forums is a counterexample: supports https but doesn't switch to it. pardus.at has https as an on/off account setting.

your statement is wrong.

>The fact is an automatic HTTPS extension teaches bad habits like an encrypted website is safe when phishing sites use encryption now.
>thinking anyone is retarded enough to confuse https security for legitimacy
>thinking anyone who does confuse the two is worth the air they breathe

there are a ton of webdevs who forget to insert "//shitty.library.com" and use "shitty.library.com"; https correct those connection. It's not something showing up in the URL bar.

>why do people write software to automate menial, repetitive, simple tasks when they could just do it manually all 1000 times per day?

SSL on Sup Forums is irrelevant. We don't use accounts here.

>you're projecting your own thoughts on me
"torpedoed", yeah, right. A projection.

>You're also pretending to be hiding from snooping using SSL which is not a barrier to any determined snooper. The purpose of SSL is to avoid harvesting of plaintext passwords by MITM attacks, not to avoid 1984 from seeing what you post on Sup Forums. Any site that supports SSL at all, usually at least SSLs the login even if rest of the site is non-SSL. Which means that the purpose of SSL is fulfilled.

I've already addressed this point, it seems you can't read and it really can't be helped. Fingerprinting, badly configured websites, session hijacking are best taken care with a whitelist approach than with a dumb "attempt them all" approach.

>Please for the love of god, stop being horrendously retarded about security you know nothing about.
Sadly people who know less about tech and security self-entitle themselves to warn about a totally legit extension like EFF's one and pretend to be smart on concepts they can't grasp. It's Dunning-Kruger, you can't be helped. Best of luck to you

>https doesn't matter on select sites
this is such a wrong attitude about security when said security is of a type that has no drawbacks or even inconvenience

all websites should become https-only and http should be deprecated except for intranet and localhost and stuff desu

How lazy are you

That's full retarded now. Fingerprinting has nothing to do with SSL. I fingerprint people using a SSL website. Jesus, man. Where'd you get that from? In fact, if you have the HTTPS anywhere extension, I can get more fingerprint data on you if I want, which makes your unique browser fingerprint that much more unique. Also, I'm pretty sure that HTTPS anywhere doesn't mandate a content policy to appear on the whitelist, which means any insecure HTTPS site can appear. No matter how badly configured.

BTW I am not advocating for "attempt them all" approach either. I advocate for not using shady as fuck websites that NEED SSL but choose not to deploy it correctly. Sup Forums isn't one of them. Sup Forums does not need SSL.

HTTPS is explicitly designed to avoid snooping of sensitive data by MITM attacks. If your website does not have a login and doesn't deal with sensitive data at all then HTTPS serves no purpose.
In Sup Forums context, yea, you can submit your posts encrypted, but your posts aren't sensitive data. So whether you use HTTPS or not is irrelevant.

>Fingerprinting has nothing to do with SSL
But you're enabling fingerprinting if you attempt unwarranted connection on every single connection your browser make no matter what and even if the site is well known to not support TLS, fucking idiot.
>In fact, if you have the HTTPS anywhere extension, I can get more fingerprint data on you if I want, which makes your unique browser fingerprint that much more unique.
Completely retarded, with a whitelist only sites known to support TLS will receive a TLS connection. At best you're correcting webdev mistakes like > Also, I'm pretty sure that HTTPS anywhere doesn't mandate a content policy to appear on the whitelist, which means any insecure HTTPS site can appear. No matter how badly configured.
It corrects every CSR it holds in its whitelist, so again you're the fucking idiot.
>BTW I am not advocating for "attempt them all" approach either. I advocate for not using shady as fuck websites that NEED SSL but choose not to deploy it correctly. Sup Forums isn't one of them. Sup Forums does not need SSL.
Pure idiocy.

Nah, I don't think this conversation warrants further pursuit. You've adequately demonstrated yourself to be completely clueless about online security and if I didn't know better I would assume you're a paid shill for the product in question.

I do know better, so I'm just gonna assume you're an unpaid shill.

Or maybe I don't want my ISP to read my posts? Fucking retard.

>Your ISP doesn't give a fuck, and your posts aren't interesting. If they were "interesting" enough to warrant avoiding "snooping", then you'd need tor or another anonymizing network.

You don't seem to understand how surveillance works.
You snoop all the time on everything without first hand examination and keep it forever just in case you need to look back through or organize it later.

90% of it is junk but...
Storage is dirt cheap and is a good enough reason to keep everything around forever. Juuust in case.

>Nah, I don't think this conversation warrants further pursuit.
This thread doesn't deserve to exist.
>You've adequately demonstrated yourself to be completely clueless about online security and if I didn't know better I would assume you're a paid shill for the product in question.
I've only adequately demonstrated that you're either too idiot to grasp simple concepts or yet another kid shitposting for free.
>I do know better,
Dunning-Kruger again.
>I'm just gonna assume you're an unpaid shill.
That's you. I've detailed arguments, you've constantly shitposted.

lmao your ISP doesn't give a shit you

It does if you enable it in settings.

That's irrelevant. It could be an automated process. There is no reason to not use HTTPS

You haven't made a single argument, buddy. Unless you count calling me retarded an argument. Which it is not.

Doesn't really help your case that you're trying to argue me under the assumption that I'm suggesting some competing placebo extension that does the same shit as HTTPS anywhere only in a more janky way.

>eff.org/de/code/privacy/policy
>This policy describes our privacy practices for the information that's collected and used by EFF software and technology projects, like HTTPS Everywhere, the Decentralized SSL Observatory, or Privacy Badger.

Aaaaaaaaaaaaaaaaaaaand dropped.

>So whether you use HTTPS or not is irrelevant.
You don't have to have data to protect, or information to hide, to use encryption. HTTPS is relevant, because it's the difference between plaintext and not.

>Sup Forums calls out microsoft for (optionally) collecting data
>major freak out
>EFF does it
>i-i-it is optional !!!!!!
really heated my silicons

Which is saved in a cookie, so it gets deleted everytime you clear your cookies. The chink jew should really default to HTTPS, but he won't.

Security
>Although we make good faith efforts to store information collected by EFF in a secure operating environment, we cannot guarantee complete security. Information collected by EFF will be maintained for a length of time appropriate to our needs.

>You haven't made a single argument, buddy. Unless you count calling me retarded an argument. Which it is not.
That's you again, I've detailed arguments you can't grasp over three times already. It can't be helped if you keep shitposting and pretending.

opt in and disabled in the webextension, see

That's even worse.

...

I can grasp your arguments, they are made under a false assumption that I'm advocating for a competing extension. Read your own posts sometimes, if you forget what they consist of.

You're an advocate for a placebo extension, I am not an advocate for a placebo extension. You argue against me as if I am, and when I refuse to engage with your stupid strawmen you call me a troll. It's not a complicated scenario. HTTPS anywhere is pointless. So is that other extension you have your panties in a bunch about. Don't visit insecure sites if you have a reason not to.

Because anyone can inject arbitrary scripts?
This is not some rocket science you morons.

>one year ago
>can't do webext currently, because we can't telemetry your shit up
And now it's out as a webext since quite some time. Makes me think.

>Which is saved in a cookie
So it is. But where does the native extension store its data, stuff like pinned threads?

Seriously

Just image the implications of forever.
Nothing is temporary.

The fabric net itself weaves a better story of you than the elephants on this site.
At least they grow old and die.

If you send unencrypted communication it is guaranteed vacuumed up by something sitting on the backbone and will be retained and tacked onto a little database entry about (you) for the rest of your life.
Each subsequent privacy slip will deepen the wound and will be used to profile you and increase the accuracy of further correlation.
Even if you trust the people in control of this information who's to say the next guys won't be awful and use it to violate you rights and extort you.

Six phrases a man has ever said are enough to have him hanged.

I've replied here detailing both why both enforcing HTTPS connection on non-suitable sites is despicable and why an addon like EFF's one is commendable. If you claim to be only one of those retards, and not both, I'm sad because this means that there are two fucking idiots out there; more probably, it's just you and your fucking larping personality.
The whole "Don't visit insecure sites" is pure idiocy. Any site can be badly configured and a whitelist at least attempts to sanitize overlooked mistaked by webdev "engineers".

Fake news again, the webextension is out there and with no decentralized telemetry.

NSA sees all your shit anyway. if you want actual anonymity, use tor

>the webextension is out there and with no decentralized telemetry.
Can you prove it? Why should I trust you over their own Privacy statement, explicitely mentioning HTTPS Everywhere in the first sentence.

The code is out there. The github issue has been linked. Can I prove you're not retarded? I'm not sure.

>The github issue has been linked
Outdated and literally irrelevant as of now.

So we have them giving HTTPS Everywhere a optional telemetry option, then removing the option while still mentioning the telemetry for this addon on their own page and you're still in denial? I'm unironically gonna trust the EFF on this own when they called themself out. You can keep whiteknighting, but the addon maker's words > yours.

>Outdated and literally irrelevant as of now.
No, it's not. You're just a fucking idiot. This is linked as a blocker for the observatory in that very same github issue. bugzilla.mozilla.org/show_bug.cgi?id=1322748

>So we have them giving HTTPS Everywhere a optional telemetry option, then removing the option while still mentioning the telemetry for this addon on their own page and you're still in denial? I'm unironically gonna trust the EFF on this own when they called themself out. You can keep whiteknighting, but the addon maker's words > yours.
You know that there are multiple versions of Firefox, including ESR and TBB, don't you. You're trying too hard, get a hobby or something.

>use a honeypot network to avoid agencies
This ought to work.

>le tor is a honeypot meme

>. This is linked as a blocker for the observatory in that very same github issue. bugzilla.mozilla.org/show_bug.cgi?id=1322748
Which is completely moot, because they name HTTPS Everywhere, the Decentralized SSL Observatory, or Privacy Badger as three seperate things. Which means even with no Observatory shit, HTTPSE and PB collect data.

>You know that there are multiple versions of Firefox, including ESR and TBB, don't you.
So what? They never make any difference in their privacy statement, check it yourself.

>Which is completely moot, because they name HTTPS Everywhere, the Decentralized SSL Observatory, or Privacy Badger as three seperate things. Which means even with no Observatory shit, HTTPSE and PB collect data.
You can't be this retarded. HTTPS Everywhere exists as webextensions; it doesn't ship the decentralized observatory since it's fucking impossible to ship it currently. The same API is needed for other extensions' features as well.

>So what?
So you're an idiot. Check the code out.

>Tor isn't paid by governments I like my mental gymnastic

>hurr observatory
What don't you understand about they name HTTPS Everywhere, the Decentralized SSL Observatory, or Privacy Badger as three seperate things? There are much easier ways to collect data, see ghostery and tampermonkey, you sheep.

Prove it.

>What don't you understand about they name HTTPS Everywhere, the Decentralized SSL Observatory, or Privacy Badger as three seperate things?
Read the fucking upstream bug. The decentralized observatory is a feature of https everywhere except in the webextension version of the addon, because of some limits in the current quantum's API. I won't repeat this again. The same API is shared by other addons for various features, e.g. SSleuth (currently unported in Fx 57). Privacy badger doesn't factor in this discussion at all. The observatory can't exist in the webextension, period. Code is there. Upstream bug blocker is there.
>ghostery and tampermonkey
totally EFF's addons, right. Alright, now fuck off, clown.

I agree with you, however as said there is not setting to check to opt-in in the new web-extension
this means they removed the feature or what?

>Read the fucking upstream bug.
What don't you understand about they name HTTPS Everywhere, the Decentralized SSL Observatory, or Privacy Badger as three seperate things? Just because one way to collect data doesn't work properly, doesn't mean no other does either. Which is why their website says
This policy describes our privacy practices for the information that's collected and used by EFF software and technology projects, like HTTPS Everywhere, the Decentralized SSL Observatory, or Privacy Badger.
and not
>that's collected and used by EFF software and technology projects via the Decentralized SSL Observatory.

>totally EFF's addons
Never said they are, but they clearly show the possiblities.

after he lost his virginity to that crackhead prostitute that looks like a man he lost any chad status

>this means they removed the feature or what?
see , >What don't you understand about they name HTTPS Everywhere, the Decentralized SSL Observatory, or Privacy Badger as three seperate things
Stop being this fucking dense.
>This policy describes our privacy practices for the information that's collected and used by EFF software and technology projects, like HTTPS Everywhere, the Decentralized SSL Observatory, or Privacy Badger
it's enumerating a set of technologies offered by EFF. The observatory is integrated in https everywhere with a opt-in mechanism up to Fx 57; starting from Fx 57, a fucking API in Fx is lacking.
That page SUMMARIZES the GENERAL privacy policy if you happen to use those products on current and past Fx versions and on different browser. I even showed you that the new Fx LACKS THE GENERAL ABILITY to phone home in that way and this broke (completely or partially) some addons.

There's no pointers in the code and there's no API enabling to "collect data of unsuspecting users", fucking braindead idiot. Now fuck off and kys thx

You can see what is loaded in the developer tools of your browser by pressing F12, select Network tab, Select All tab below Then just view the domain column. (no eff.org)
Or you could capture packets with Wireshark (on windows) and sort by protocol (same result)
So yeah, your post is bullshit.

windows will spy you even if you say no (and the default is all on)
fuck off shill

>the API for the Observatory is broking so no one can collect data in anyway, even if they say so, like the EFF just did!
t. retard

you know extensions are written in js and you can read the code right?
show us where the "botnet" is before spreading FUD

>The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online. Onion routing was further developed by DARPA in 1997.

That alone is a pretty good indicator that if there are backdoors the government is aware of and actively exploiting them. Not to mention the dozen vulnerabilities that are publicly known and the incident that occurred not too long ago with the pedophile ring. There's no reason to suspect it's any more secure and is just as liable to print a target on your back as using a VPN is.

That's not proof.

while we're at it, what's best, privacy badger or ghostery? are they redundant or complementary?

ghostery sells your info

how about privacy badger and decentraleyes, are they redundant or complementary?

autism-tier tinfoil placebo. all you really need is ublock origin and https everywhere

Decentraleyes is good. It's totally different and prevents you from being tracked through cdn botnets.