Individual-resistance: HTTPS by default

As part of the Collaborative ResistancE to Web Surveillance (CREWS)'s project with UCL we are going to build a prototype to understand of effectiveness of enhanced eavesdropping protection in Tor Browser.

Modern web browsers, including Tor Browser, will indicate that unencrypted web traffic is insecure, but not block unencrypted traffic, because some websites do not support encryption. Therefore malicious intermediaries can perform “SSL-stripping attacks”, forcing the browser to downgrade to unencrypted traffic. For this project we will evaluate how to require encryption to be enabled unless the user explicitly permits downgrading. We will explore approaches to clearly describe the risks of sharing web browsing data with intermediaries (legibility) and giving the user controls of whether to proceed nevertheless (agency).