ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Using noscript to force https ssl links in firefox

(1/5) > >>

mouser:
I was talking to a friend the other day about accessing donationcoder or other sites using SSL (https urls), and how many have a problem where they support ssl but some of the links on the site itself will redirect you to normal http links inadvertently, leading you back to non-secure connection.

It turns out that there are a couple of firefox extensions that can be used to force firefox to always use an https style ssl link on certain websites.  That is, it will dynamic adjust all http links to be https (or vice versa) on sites you specify.

The easiest solution is to use the very powerful, actively developed, donation supported "noscript" extension.  People who are paranoid about security tend to already have noscript installed so chances are if you care about forcing https you might already have noscript installed, and just not know about this feature.

For more instructions on how to configure noscript to force https, see for example this page.

ghacks:
That's interesting Mouser. You can optimize your code by using a wildcard :)

f0dder:
If only DC had a SSL cert that didn't make firefox throw hissy fits...

housetier:
ha! very good, I just setup a bunch of sites to be forced to https.

Gothi[c]:
If only DC had a SSL cert that didn't make firefox throw hissy fits...

--- End quote ---

If only firefox didn't throw hissy fits, extorting money out of people so they would buy ssl certificates :)

I tend to be the first to applaud security measures, but https is just broken.
It is trying to serve 2 purposes, which should be separate things.

1) making sure you're talking to who you think you are talking to
2) provide encryption

#1 is not possible without having certificate authority bodies (which right now, is a bussiness.) and i'm all for FF throwing hissy fits when you may be talking to an attacker.

However, when all you want is encryption, a self-signed cert is more than fine. The fact that anyone that wants to implement encryption without forking out the money for #1, gets harassed by web browsers, is deterring people from using and/or implementing encryption at all, which is a very very bad thing for security.

Navigation

[0] Message Index

[#] Next page

Go to full version