https-everywhere icon indicating copy to clipboard operation
https-everywhere copied to clipboard
verified publisher icon EFForg

Make interstitial page clearer wrt disabling HTTPSE for domain

Open Hainish opened this issue 6 years ago • 0 comments

Type: code issue

This came in over email. See initial email and my reply below.

There's a historical reason for this confusion. Originally, when we developed the interstitial page with the text you're referring to, we didn't yet have the ability to disable HTTPS Everywhere functionality on a per-domain basis. This functionality came later.

Every string we use in HTTPS Everywhere is translated into different languages before being distributed. If we make small changes in the string, it will result in the entire string needing to be re-translated, or else you'll just get the English version instead. That means we had to make a trade-off: our functionality changes resulted in a lack of clarity, but changing the string would result in an even greater lack of clarity for non-English speakers. At least until we gave enough time for these to be translated properly.

That being said, it has been a while since we've looked at this string and I think you're right. We can provide the string to the translators and give it a little bit of time to get translated properly, and then perhaps the release after next, when we have given it enough time, incorporate that into the extension. I'll add a task for ourselves.

First off, thanks for creating this tool!

When EASE is enabled and a site gets blocked, the text of the message is:

HTTPS Everywhere noticed you were navigating to a non-HTTPS page, and tried to send you to the HTTPS version instead. The HTTPS version is unavailable. Most likely this site does not support HTTPS, but it is also possible that an attacker is blocking the HTTPS version. If you wish to view the unencrypted version of this page, you can still do so by disabling the 'Block all unencrypted requests' option in your HTTPS Everywhere extension. Be aware that disabling this option could make your browser vulnerable to network-based downgrade attacks https://en.wikipedia.org/wiki/Downgrade_attack on websites you visit.

URL: [URL link]

From a (new) user's perspective, I think this message

  1. implies that to even view this website, "block all unencrypted requests" needs to be disabled globally
  2. does not state that a per-domain exception can be generated
  3. does not suggest that the link in the second paragraph is a UI element which generates a per-domain exception

Hainish avatar Apr 16 '19 21:04 Hainish