Avast Secure Browser warning us trying to install HTTPS Everywhere extension...

[polonus]

Installing this extension, namely "HTTPS Everywhere" could be insecure as it can tamper with all the data that you send.

Why we do not want this tampering while a secure tunnel connection is been set-up for http content also?

I also found this information: One should understand that one can still use SSLstrip, Firesheep and similar attacks against HTTPS Everywhere. By searching a bit, I also came across this link and this test (related to the previous link), it seems that HTTPSEverywhere does not protect you against spoofing attacks. Related to this topic, I could also find this one which contains a lot of good information, and this one on how to protect from sslstrip attacks. link= https://security.stackexchange.com/questions/2113/options-when-defending-against-sslstrip
The link to the xxx-ios51-demo.html test does not work anymore.

Using a privoxy rule against this

1

Using Privoxy rule:

echo '{ +redirect{s@http://@https://@} }
.foo.org' >> /etc/privoxy/user.action

info credits security.stackexchange's  go to LanceBaynes

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

[polonus]

Even a lot of tech folks aren't always aware of the following info:

Why chrome has pinned their certificate for google.com? Does it mean, google does not trust all and every certificate provider?
Whether Chrome makes an exclusion for  *.google.* is not known to us, but HPKP support has been partly disabled now in recent browsers.

Read at the end here at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning:
Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This will mean that for users who imported custom root certificates all pinning violations are being ignored. Your browser stays silent on such violations. 

In other words when another trusted certificate supplier other than for *.google.* has been used, and issues a violating certificate (like in the past happened with Dutch DigiNotar), this will lead to an alert inside the browser.

When a *.google.* MitM (local antivirus, firm proxy or now nation-wide like recently with Kazachstan) sends a falsified certificate with a trust chain to a root certificate, that does not come together with  a standard root certificate , your browser will not alarm you.

Info credits go to Bitwiper

polonus

[polonus]

Also blocked in Avast Secure Browser -https://chrome.google.com/webstore/detail/leaf-browser-alpha/nefehiekhccmedmdoilmhikhdiiijkbe?hl=en-GB
Because leaf-browser has full access to your mic and camera.

polonus

[polonus]

See what the security related implementations of https everywhere meant
for this random case chosen from HTTPS Everywhere Atlas:
https://atlas.eff.org//domains/wareable.com.html

I do not criticize it, but we should take good notion of all of this and see
where improvements can be made for website development in general (pol).

Re: https://webcookies.org/cookies/www.wareable.com/2218452?655200

See DOM-XSS sources and sinks: Results from scanning URL: -http://www.wareable.com (Javascript = React)
 /assets/dist/js/index.8ff84803f2a15966bb29.js:38
Number of sources found: 2
Number of sinks found: 241

Results from scanning URL: -https://www.wareable.com/vassets/packages/tippingcanoe/referrer-tracking/reftrack.min.js
Number of sources found: 3
Number of sinks found: 3

Results from scanning URL: -https://www.wareable.com/vassets/packages/tippingcanoe/referrer-tracking/reftrack.min.js
Number of sources found: 59
Number of sinks found: 19

Results from scanning URL: -https://www.wareable.com/assets/dist/js/index.8ff84803f2a15966bb29.js
Number of sources found: 59
Number of sinks found: 19

21 security related recommendations after linting:
see: https://webhint.io/scanner/2265b59b-712d-46e4-b8ee-146fd4eb28f1#category-Security
for disown-opener; no-protocol-relative-urls; sri; strict-transport-security; validate-set-cookie-header; x-content-type-options;
no vulnerable-javascript (retirable jQuery library alert).

Javascript error alerted

TypeError: Failed to execute 'observe' on 'MutationObserver': parameter 1 is not of type 'Node'.
 /assets/dist/js/index.8ff84803f2a15966bb29.js:38

Website on Cloudflare: https://toolbar.netcraft.com/site_report?url=https://www.wareable.com

HTTP Security headers insecure  for (header not returned)

cache-control

no-cache

x-content-type-options

x-xss-protection


x-frame-option


content-security-policy

Cookie security options (4 cookies) http only attribute for  _upasid_ & XSRF-Token cookies

Autocomplete settings not secure for noname   HTML form

Stack info: .drweb_select-panel z-index="2147483647"
#slidemenu.slidemenu-box z-index="9999"#slidemenu-close-btn.slidemenu-close-btn z-index="200"

.overflow-dropdown-menu. z-index="1000"

.overflow-dropdown-menu. z-index="1000"

In link-details: #site-box
#publisherDetails
#slidemenu#slidemenu-close-btn#overlay

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)