site issue, no http warning (truthinmedia.com)
Closed this issue ยท 13 comments
FF 67.0.4
httpz 0.8.1
auto mode = off
remember = off
ignore = until FF is restarted
whitelist is empty
load truthinmedia.com, or http://truthinmedia.com and there is no warning
the domain was accessed by my RSS reader prior to this, though i never opened the tab, but i clicked 'forget ignored sites' to test again but the behavior was the same
1st time i've seen this
The server at https://truthinmedia.com returns a 301 status code, causing the client to redirect to http://truthinmedia.com
You can confirm this is what's going on with the dev tools (Ctrl+Shift+E). Edit: this can also be confirmed by simply disabling the extension and going to https://truthinmedia.com manually. You'll see then that the one redirecting to http is the server, not this extension.
As per the (shitty) documentation, the extension is meant to respect a server's preference to redirect from https to http, so this is not a bug. It's intended behavior.
Thanks for reporting anyway ๐
ok, notabug, but i wonder if that's what users expect if they have auto-mode disabled? personally, i expected to be hit with the warning
regardless, thanks for your work claustro - you do a great job
i wonder if that's what users expect if they have auto-mode disabled? personally, i expected to be hit with the warning
I guess that depends on how you interpret the feature and the documentation. The documentation states:
When you navigate to a site over HTTPS and the servers redirect you to HTTP, the extension notices this and automatically adds that hostname to the list of sites to ignore.
...BUT, to be fair, the documentation is so short that it merely explains how the extension works with the default settings (and the automatic mode is on by default). It does not explicitly state that the extension ignores server-initiated redirections to http regardless of the mode (auto or manual), so I guess some people can assume that behavior is meant to change in manual mode.
The automatic/manual mode setting in the options page states:
By default, HTTPZ will fall back to HTTP automatically on error, but if you disable this, you will be shown a warning instead, so you can decide how to proceed.
I emphasized the on error because that's the key here. Server-initiated redirections are not errors; what happens is this:
- you go to http://truthinmedia.com/
- HTTPZ redirects that request to https://truthinmedia.com/
- a secure communication is established with
truthinmedia.com - the server responds with a status code
301, asking the user agent (Firefox) to redirect to HTTP - HTTPZ adds
truthinmedia.comto the ignore list - Firefox redirects the request back to http://truthinmedia.com/
I concede that, in the current state, this is kinda open to interpretation. Some things I can do to avoid surprising users:
- update the documentation to explain in more detail how the extension works, and maybe reword it a bit.. (I think my english tends to feel all machine-like, especially after a couple of hours of typing code).
- add some sort of clear indication via GUI, so that users are not left wondering what happened when they come across such a site
- maybe add another option to intercept such redirections in manual mode, with a separate page explaining that the site tried to redirect to http...
i think the documentation is pretty clear - i failed to re-read it when i opened this issue - so it's not a bug, i get that...
When you navigate to a site over HTTPS and the servers redirect you to HTTP, the extension notices this and automatically adds that hostname to the list of sites to ignore.
what i'm suggesting is that when auto-mode is disabled, HTTPZ always prompts the user before initiating an http connection regardless of whether the server does a proper 301 redirect or not
maybe add another option to intercept such redirections in manual mode, with a separate page explaining that the site tried to redirect to http...
i like that idea best and i think it might be more in line with what is expected - if one is using the ext. for privacy reasons and a site 301s to http without HTTPZ warning the user, that could be a problem
i don't know that another option is necessary - i think just interrupting the redirect and warning the user is fine - they can always whitelist the domain if its a problem
to put it another way, HTTPZ usually warns before allowing an http connection when auto-mode is off and the user understands this - does the user care if it's a proper 301 or not? i'm guessing not and they, like me, might wonder why they didn't get the warning
this is not a showstopper for me so please don't think i'm trying force this change - i just think it's not overly intuitive to have a warning sometimes and not at other times (when auto=off) when, in both cases, the site won't do https
if one is using the ext. for privacy reasons and a site 301s to http without HTTPZ warning the user, that could be a problem
The thing is the "manual" mode was added specifically to prevent MitM from exploiting HTTPZ. Intercepting all attempts to connect to sites over http is an extra mile that should, IMO, be a separate option (tied with to the manual mode). I think I'm gonna add an extra checkbox right below the one for disabling automatic mode... something like...
By default, HTTPZ will fall back to HTTP automatically on error, but if you disable this, you will be shown a warning instead, so you can decide how to proceed.
-
Automatic Mode-
Intercept server-initiated redirections to http
-
I can make the second checkbox+label invisible when the auto mode is on. Hmm... I'll think some more about it. the UI/UX parts have never been my forte. I'm definitely adding a separate intermediate page for that scenario though, with an appropriate description and without a Retry button.
sounds fine to me :)
@claustromaniac I would also like to see that option you suggested, but how would that be "tied with the manual mode"? To me it seems like "automatic mode, except when the site is stupid" (or user is getting intercepted...).
@Madis0, I'm not sure I understand, but I meant to say tied to the manual mode in the sense that it depends on it (because that option wouldn't make much sense in automatic mode)
- Automatic mode = automatic HTTP fallback
- This option = prevent automatic HTTP fallback if the server does it
So to me it would seem like automatic mode is a requirement, as in manual mode there wouldn't be anything to prevent, error would be shown anyway.
Maybe I misunderstood the way you want to implement it though, but this is the UX as I see it.
Maybe I misunderstood the way you want to implement it though
You misunderstood the specification ๐
The idea is to give users an option to intercept server-initiated redirections to HTTP when the automatic mode is off. The extension does not currently intercept those with auto mode off because they are not errors, and the extension is designed to respect servers when they prefer to downgrade.
The current behavior (respecting servers) is secure because a secure line with the server needs to be established first for the server to ask the client to redirect to http in this way, but some users (like @atomGit) would prefer for the extension to intercept those redirections and show a warning instead, which is reasonable - that's what this is about.
Thanks for the explanation!
In that case I would still like to request this option for automatic mode too, for the extension to create a warning when the server-side redirect happens.
NVM. I hurried the stable release anyway, because I discovered a vulnerability in the previous stable version and wanted to deploy a fix as soon as possible. 