Force HTTPS Exception List?

Is there a way to view the exception list for the sites I specifically mark as “Force HTTPS”? I don’;t want to just have a lock icon notify me. I want to know each site I have set for this. Also, a sort of side question. What is “Ice” Comodo Dragon??? I just noticed the forum just now. I “MORE” hardened version of CD?

Hi GreenLED,
The only way I know of viewing the list is to open the ForcedTransportSecurity file with a text editor (Notepad or similar).
This is found in your user profile.
Profile example C:\Users\Username\AppData\Local\Comodo\Dragon\User Data\Default.

Dragon and IceDragon are two totally separate Comodo browsers. Dragon is a Chromium based browser. IceDragon is a FireFox based browser.

Kind regards.

Open dragon://net-internals/#hsts to view and manage domains.

There you will not only find domains you have added, but also these domains: http/transport_security_state_static.json - chromium/src/net - Git at Google

Having looked at the URL, now I’m curious. What is all of this stuff? Why are things being “captured”? Is this data captured locally only? Looks like you’ve got a whole back-end here I never knew about or is this part of the chromium spec? Also, what does “stopping” capture do besides stopping capture for this session?

I have been away for a few days, sorry for the late reply.

Why is there not a more elegant way of managing forced HTTPS connections? Is that just something that was left to the Chrome project and Comodo never touched it?

Good. :slight_smile:

An excellent question. :slight_smile: As you can see on that page, “HSTS is HTTPS Strict Transport Security”, which is standardised as RFC 6797. HSTS is used on some servers, and when you connect to a server that uses it, it will send a header to your browser, telling it to only use HTTPS and to silently block insecure active content. The problem is that you have to connect once to the server to get the header, and that first connection may be “insecure” (over HTTP). As a solution, Google maintains a list of domains (link in my previous post), to which the browser (Chromium, Firefox) will always connect over HTTPS.

Network-events are captured. You can view them here: dragon://net-internals/#events.
Yoy can stop it at dragon://net-internals/#capture and export it at dragon://net-internals/#export.
Despite “dragon” in the URLs, this is part of Chromium (in Chrome, the URLs begin with chrome://).

It’s summer, enjoy it. 8) :wink:

As I said, dragon://net-internals/#hsts is part of Chromium, and Comodo has not made any changes there. What Comodo did, was adding a padlock-icon in the address-bar, so users more conveniently can add domains. That feature is described here: Force Secure Connections.