@JohnConnorBear said in relevant plugins with the latest version of vivaldi:
I did not look much at HTTPS Everywhere internals but in the way I have set it (both options on) it seems to disallows non-encrypted connections. When some site doesn't have HTTPS I get an error page instead.
That's also not true. You van receive that error when the page does have HTTPS, just the extension doesn't know it. That checkbox to throw a hard fault was added after the EFF had received some (legitimate) criticism that HTTPS Everywhere was actually harming users rather than protecting them.
Users assume that the extension will always redirect them to the secure page if it exists. So if a page loaded in HTTP then they would assume that the site doesn't support HTTPS and if there is a login on the page, they'll login over an insecure connection. They'd even grow lazy and dependent upon the extension and stop paying attention to the lock icon.
The reality is that HTTPS Everywhere works by using a whitelist. Originally, in order to get on the whitelist, site admins had to email an obscure mailing list. Nowadays they have a GitHub repo, and maybe a web form. They have to write a rule set for their site to get added to the rule sets that are part of the extension. That used to only update for users when the extension was updated, fortunately it now updates automatically every 24 hours.
HTTPS Everywhere was great when it launched. It's purpose was/is to mitigate against Firesheep attacks. But it has a fundamental design flaw in that it relies upon a whitelist. EFF did this because they want to track how many sites are using HTTPS. Speaking of tracking, every time you visit a site, the extension sends a fingerprint of the site to EFF.
The proper approach would be to just check if the site responds on HTTPS, and switch over if it does. Then there wouldn't be the need to break sites that don't support HTTPS, especially during this transition period when the internet is moving to TLS but many perfectly fine sites have yet to do so. Because users would be right in their assumption that it was loading HTTPS if it existed rather than only for sites on its whitelist.
Nowadays there's are ubiquitous whitelist that does the same thing. Instead of only working for people who install a plugin, it works for everybody because it's built into the browser. It's called the HTTPS Preload List. If you're a site admin, are you going to spend the time getting onto a whitelist that only effects users of an extension, or onto the whitelist that is a part of people's browsers?
HTTPS Everywhere was great in its day, but its day has past. There are still some sites for which the Preload List cannot be used due to their need to serve mixed content. In such cases an extension might be useful to mitigate Firesheep attacks, but in that case the extension to use would be Smart HTTPS, which works how people think HTTPS Everywhere works but actually doesn't.
I love the EFF, please don't take this as an attack on them as an organization. But they do need to realize that they aren't a software shop. They have created some tools that were great when they launched, and met a real need at the time. But needs don't remain static, and they simply don't update their products as necessary, which makes them worse than useless -- they actually become harmful to users. I see far too many posts across the entire internet of people posting their Panopticlick results and proclaiming they are protected against trackers. That wasn't even true when it first came out, but EFF buries the warnings deep inside tech research papers rather than appropriately placing them prominently on the tool's homepage and operating pages. This extension is more of the same ... users thinking it does more than it can, and it's not really the users' fault. I used to misunderstand how the extension worked as well, and if I make that mistake then nobody else in my family even has a chance to get it right.
