[johannh]

> AMO doesn't do any code signing for extensions, so they're only protected by HTTPS. As we saw with Heartbleed, SSL private keys can be compromised.

I find it quite ironic that HTTPS Everywhere is arguing HTTPS is not safe enough to offer them a reasonable guarantee of integrity.

[geofft]

HTTPS is a lower bound of reasonable security, not an upper one. The argument for HTTPS _everywhere_ is that it's the smallest possible thing you can do to make yourself slightly secure.

Would you find it ironic that someone selling combination locks for gym lockers wants a better lock on their storefront?

[johannh]

I find it ironic if banks and post offices are using combination locks as advertised security measures but the people selling those install steel doors on their storefront.

[riquito]

> Would you find it ironic that someone selling combination locks for gym lockers wants a better lock on their storefront?

More like he wants to add additional security measures because the lock isn't secure enough. I wouldn't buy a lock then.

[philtar]

It's called layering.

Nothing is 100% secure.

[kofalt]

Shouldn't be terribly surprising: http://dayswithoutansslexploit.com

HTTPS might be better than getting a website in cleartext, but you'd have to be a madman to claim that HTTPS is safe, sane, or secure.

[johannh]

True, I'm not surprised at all. HTTPS Everywhere-like functionality should be integrated into browsers and not a downloadable extra, tricking people into feeling fully secured.

[toomuchtodo]

While not "everywhere"...

Force SSL only: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Have site preloaded in Chrome: https://hstspreload.appspot.com

[mbrubeck]

Firefox also has a built-in HSTS preload list, which I believe uses the Chrome list as one of its inputs: https://blog.mozilla.org/security/2012/11/01/preloading-hsts...