When someone visit website , and that website configured TLS to be useless and vulnerable to MITM (not checking if there is "Protocol Support" and "Cipher Strength") then this is real flaw of HTTPS-Everywhere to pass this as secure connection. E.g to make this very clear: https://www.ssllabs.com/ssltest/analyze.html?d=zu.ac.ae This is an F website and allows MITM due to insecure renegotiation. But when you visit the website while HTTPS-Everwhere enabled it will not read it as insecure connection or even showing yellow sign that the connection is not encrypted (by the lock browser). So whether this HTTPS-Everywhere flaw or TBB , something is wrong here. **Trac**: **Username**: bo0od