Developer

HTTPS Everywhere makes SSL/TLS easier

While it does not provide encrypted connections everywhere, the HTTPS Everywhere extension for Firefox does make it easier to establish and maintain encrypted connections to major sites on the Web.

The Electronic Frontier Foundation and the Tor Project have collaborated to offer a new Firefox extension called HTTPS Everywhere. In the EFF's announcement, it says:

This Firefox extension was inspired by the launch of Google's encrypted search option. We wanted a way to ensure that every search our browsers sent was encrypted. At the same time, we were also able to encrypt most or all of the browser's communications with some other sites:

  • Google Search
  • Wikipedia
  • Twitter and Identi.ca
  • Facebook
  • EFF and Tor
  • Ixquick, DuckDuckGo, Scroogle and other small search engines
  • and lots more!

While it does not actually provide encrypted connections everywhere, which would require that either every Web site in the world used SSL/TLS or actually used some kind of magic spell, it does eliminate some of the frustrations of trying to use encrypted connections to various websites. For instance, anyone who understands the importance of protecting usernames and passwords, and who knows about it, is likely to prefer using Wikipedia's encrypted login over its standard, unencrypted HTTP logins. Clicking a link in the search results of a major search engine (such as Google) is likely to result in being directed to the unencrypted version of the page, however.

If you prefer to use the encrypted version in links when referring others to Wikipedia as a subtle means of advocating for greater security awareness and better browsing privacy practices, this can prove especially annoying, since Wikipedia does not provide links on every page to the encrypted version of the page — which means you need to rewrite the protocol identifier part of the URL to use https:// instead of http:// before sharing the link.

With the HTTPS Everywhere extension for Firefox, however, you will be automatically redirected to the encrypted pages at the websites the extension supports, including Google search, Facebook, and Wikipedia (and, of course, the EFF and Tor Project sites).

An HTTPS Everywhere link on the EFF's announcement page takes you to a brief description of the functionality and limitations of the extension. Big blue button graphics on both the announcement and permanent HTTPS Everywhere pages offer immediate installation of the extension.

The explanation for HTTPS Everywhere, which is currently in public beta testing, describes the need for this extension:

Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.

The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

There is also a page explaining how to write your own HTTPS Everywhere Rulesets, so that you can add support for more websites to the extension on your own system. After sufficient testing to be reasonably certain nobody else will have any problems with the ruleset, you can submit it back to the EFF for inclusion with the standard HTTPS Everywhere extension distribution.

The HTTPS Everywhere Firefox addon helps you encrypt web traffic entry at The Tor Blog goes into a little more technical detail about the implementation of the extension. In particular, it explains:

This tends to work more effectively than NoScript because many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may not offer all pages and applications via HTTPS, or may only allow HTTPS activity via alternate subdomains that require URL rewriting and redirection. In particular, Google's SSL search and Wikipedia both require rather complex URL rewriting and exception filters to work properly.

HTTPS Everywhere should also perform more securely than DOM-based mechanisms such as the GreaseMoney-based [sic] SSL Certificates Pro and the Google Chrome-based KB Enforcer. These addons perform redirection at the DOM level, which causes many HTTP fetches to leak prior to the redirect to HTTPS.

Hopefully, a version of this extension will be ported to Chromium-based browsers in the future, and will eventually be ported to other browsers as well. On the other hand, one must wonder whether Microsoft Internet Explorer users (for instance) would even use an extension like this.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks