Web Development

HTTPS Everywhere makes SSL/TLS easier

While it does not provide encrypted connections everywhere, the HTTPS Everywhere extension for Firefox does make it easier to establish and maintain encrypted connections to major sites on the Web.

The Electronic Frontier Foundation and the Tor Project have collaborated to offer a new Firefox extension called HTTPS Everywhere. In the EFF's announcement, it says:

This Firefox extension was inspired by the launch of Google's encrypted search option. We wanted a way to ensure that every search our browsers sent was encrypted. At the same time, we were also able to encrypt most or all of the browser's communications with some other sites:

  • Google Search
  • Wikipedia
  • Twitter and Identi.ca
  • Facebook
  • EFF and Tor
  • Ixquick, DuckDuckGo, Scroogle and other small search engines
  • and lots more!

While it does not actually provide encrypted connections everywhere, which would require that either every Web site in the world used SSL/TLS or actually used some kind of magic spell, it does eliminate some of the frustrations of trying to use encrypted connections to various websites. For instance, anyone who understands the importance of protecting usernames and passwords, and who knows about it, is likely to prefer using Wikipedia's encrypted login over its standard, unencrypted HTTP logins. Clicking a link in the search results of a major search engine (such as Google) is likely to result in being directed to the unencrypted version of the page, however.

If you prefer to use the encrypted version in links when referring others to Wikipedia as a subtle means of advocating for greater security awareness and better browsing privacy practices, this can prove especially annoying, since Wikipedia does not provide links on every page to the encrypted version of the page -- which means you need to rewrite the protocol identifier part of the URL to use https:// instead of http:// before sharing the link.

With the HTTPS Everywhere extension for Firefox, however, you will be automatically redirected to the encrypted pages at the websites the extension supports, including Google search, Facebook, and Wikipedia (and, of course, the EFF and Tor Project sites).

An HTTPS Everywhere link on the EFF's announcement page takes you to a brief description of the functionality and limitations of the extension. Big blue button graphics on both the announcement and permanent HTTPS Everywhere pages offer immediate installation of the extension.

The explanation for HTTPS Everywhere, which is currently in public beta testing, describes the need for this extension:

Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.

The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

There is also a page explaining how to write your own HTTPS Everywhere Rulesets, so that you can add support for more websites to the extension on your own system. After sufficient testing to be reasonably certain nobody else will have any problems with the ruleset, you can submit it back to the EFF for inclusion with the standard HTTPS Everywhere extension distribution.

The HTTPS Everywhere Firefox addon helps you encrypt web traffic entry at The Tor Blog goes into a little more technical detail about the implementation of the extension. In particular, it explains:

This tends to work more effectively than NoScript because many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may not offer all pages and applications via HTTPS, or may only allow HTTPS activity via alternate subdomains that require URL rewriting and redirection. In particular, Google's SSL search and Wikipedia both require rather complex URL rewriting and exception filters to work properly.

HTTPS Everywhere should also perform more securely than DOM-based mechanisms such as the GreaseMoney-based [sic] SSL Certificates Pro and the Google Chrome-based KB Enforcer. These addons perform redirection at the DOM level, which causes many HTTP fetches to leak prior to the redirect to HTTPS.

Hopefully, a version of this extension will be ported to Chromium-based browsers in the future, and will eventually be ported to other browsers as well. On the other hand, one must wonder whether Microsoft Internet Explorer users (for instance) would even use an extension like this.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

24 comments
Who Am I Really
Who Am I Really

sounds cool? however, I've noticed that my ISP toasts my connection speed whenever it detects an HTTPS/SSL or FTPS/SSL etc. type connections, - as in my Gmail will load smoking fast if I turn off the "always use HTTPS" option but as soon as it's turned back on then I wait and wait and wait for my mailbox to open

Justin James
Justin James

Just because someone uses IE does not mean that they are not security concious with regards to SSL. :) I for one would definitely use this plugin if it were available for IE. J.Ja

apotheon
apotheon

It doesn't work properly. It leaks credentials on initial connection because, unlike Firefox, the extension system in Chromium will not allow an extension like HTTPS Everywhere to intercept a request to redirect before the initial connection is made. This means that, in cases where you want cookie-based authentication to be protected by encryption when first connecting to a Website, the limitations of the Chromium extension system ensure that it utterly fails to be useful at all.

apotheon
apotheon

HTTPS connections are going to be a little slower than straight up HTTP, but they shouldn't be that much slower. I wonder what's going on. I hope you aren't sacrificing security for half a second of load time.

apotheon
apotheon

You're definitely in the minority, I think. Why use it with IE instead of just using a different browser?

photorecovery
photorecovery

I LOVE your response!!! So true. I've always been draw to cards that are clean and minimal (as far as embellishments) with bold colors on a white backdrop. That totally describes my living space. Ha - and to think it was right here all along. Regards, Data Recovery Software http://www.datadoctor.biz

apotheon
apotheon

I've been using it for several days now. So far, so great.

Who Am I Really
Who Am I Really

and a most, if not all of the major ISP practice it, due to pressure from the DRM Crowd. I don't sacrifice security, I just do something else while I wait for the page to load.

Justin James
Justin James

I've got a number of reasons to not use other browsers besides IE. The biggest one, though, is that other browsers have failed to convince me that they are worth the effort to make the switch. Firefox is just as slow as IE when I use it, and its issues with resource leakages are well documented. Every heavy Firefox user I know seems to accept crashes and other issues forcing a browser shut down every day or multiple times a day as a "no big deal" issue... I can leave a stacked IE session up for weeks at a time with zero issues. One of the big draws to Firefox is the plugins, but it seems like they are the root cause of much of Firefox's problems. Regarding security, much of IE's security issues stem from ActiveX. IE hasn't allowed ActiveX on public Web sites in a very long time, so much of that risk is mitigated. Past that, most of the security issues are things like the recent hcp handler issue, which for the most part are the kinds of security problems that turn up in any large, complex application. Firefox has had its share of these issues and so have Chrome and Safari. So honestly, Firefox does not seem to offer me anything that IE doesn't. Most of the "features" that Firefox touts don't excite or impress me either. It's not that I never use Firefox... I love the Firebug extension and it's saved me hours in the past. But the Firefox experience has simply failed to impress me to the point that I would switch. Chrome is very fast, but I really, REALLY do not trust Google. Now that I have used an Android phone for a while, I see all of the miscellaneous toggle switches in it that they use to tie me to their database, and I *do not like it*. Indeed, for my phone I use a Google account that I made just for the phone. Google has annoyed me with their tracking as it is. I hate that I go to one site, shop around, and for the next year ads for that site suddenly crop up everywhere. For crying out loud, I don't even directly use any Google services, and I go out of my way to avoid them, so I find it maddening that they track me anyways. I wish there was a "do not call" list for cookies and ad tracking. Chrome's security record looks a lot like IE 6's from the reports I've read (although I admit that I have not gone in depth in researching it). Regardless of the security issues, I am not putting any data into Google's hands that I do not have to, so Chrome is off the table. So, sadly enough, from my perspective, Internet Explorer is the best browser on the market, at least for my needs. Is it good? ABSOLUTELY NOT. It is awful on standards as we know. Its security track record is atrocious (although again, much of that is in ActiveX which is a red herring for the most part). It's slow and cumbersome. Definitely lacking in innovation. And despite all of that, none of its competitors are so much better that I'll make the switch. If Firefox got its act together and fixed the problems that they claim are fixed with each big release (every release after 1 has promised that it fixes the crashing and resource leaking, it's like listening to Microsoft talk about Windows), or if Chrome was a bit more trustworthy, I would gladly switch. But it just isn't compelling, which is really sad given how pathetic IE is. J.Ja

apotheon
apotheon

This spammy comment is labeled as already flagged, but still has not been deleted. That's some pretty slow response.

Sterling chip Camden
Sterling chip Camden

Pretty sweet -- I like the way it doesn't get in the way, it just chooses the secure option where available.

apotheon
apotheon

I think I'll write an article about this stupidity.

apotheon
apotheon

I haven't heard of HTTPS connections being throttled for purposes of copyright enforcement. What's the rationale behind restricting HTTPS?

apotheon
apotheon

There are some things that do get improved (core stability, performance under ideal conditions, et cetera). There are other things that get worse, though (URL completion, thanks to the "awful bar" or "awesome bar" or whatever they're calling it, et cetera). It's also becoming a more tightly integrated, self-contained, monolithic application that is playing at being the all-singing, all-dancing, dish-cleaning circus monkey, and won't allow any outside script interaction (securely or otherwise), as with the decision to move cookie policy handling from plain text to SQL. I, too, am chomping at the bit for a stable Chromium on FreeBSD.

Sterling chip Camden
Sterling chip Camden

Except that my testing indicates that performance, resource consumption, and stability have all improved in 3.6. Firefox is still too heavy for my taste, but it's not the slow, buggy beast that it used to be. And it was always better than IE. Personally, I can't wait until Chromium becomes stable for FreeBSD.

apotheon
apotheon

There's no such thing as a Good Browser. SRWare Iron comes pretty close, though -- thanks to the wonders of open source software (and, specifically, copyfree software). Check it out. I can leave a stacked IE session up for weeks at a time with zero issues. I've had a Firefox session with more than three hundred tabs open (varying numbers as I open and close stuff), for weeks without a crash. I recommend installing FlashBlock, by the way, since that extension helps immensely with stuff like resource consumption. Flash is a damned menace. One of the big draws to Firefox is the plugins Darn straight. I love being able to use FlashBlock, Perspectives, Google Sharing, QuickProxy, HTTPS Everywhere, and of course Vimperator. NoScript is nice too, but that sort of thing requires a bit of adjustment. Regarding security, much of IE's security issues stem from ActiveX. IE has other security issues as well -- such as its closed source, Microsoft's legendary "quick" response time on vulnerability response, tight integration with the OS (making certain types of vulnerabilities not only possible but pretty much inevitable, where they can't really exist with other browsers), and so on. Chrome is very fast, but I really, REALLY do not trust Google. This is why I don't recommend Google Chrome. I recommend SRWare Iron instead. It's based on the same Chromium code base, but with the "phone home" crap stripped out. Too bad it can't do HTTPS Everywhere.

apotheon
apotheon

I don't think Firefox has improved (sorry to contradict you, Sterling). In fact, I'd say that since the days it was called Firebird it has been steadily getting worse. Some things are better about Firefox than in the past, at least in theory, but other things just seem to get worse with each release. Chromium is a better browser in many ways (and, on MS Windows, I recommend the SRWare Iron variant). On FreeBSD, though, since I don't have a stable Chromium browser yet, and regardless of platform we don't have any options for HTTPS Everywhere other than Firefox right now, I'm basically stuck choosing between Firefox and stuff that's even worse. . . . and despite my general loathing for Firefox, I still think it's better in many ways than Opera and (especially) IE.

Justin James
Justin James

I'm always willing to take another look at a product, especially if someone who I trust and who knows what they are talking about (like you) says it's significantly improved. At the same time, even with the issues around crashing/leakage fixed... it's not an overwhelming "must have" for me. Maybe I will try Firefox for a week and see how I feel about it. J.Ja

Sterling chip Camden
Sterling chip Camden

It seems to me that firefox has gotten much better in recent releases. It hasn't crashed on me in quite a long time, and I now use it for most browsing, since Chromium is not yet released on FreeBSD. Mozilla has definitely improved performance since 3.5, and I have not seen the infamous memory leakage of the past.