14 DAY TRIAL // The Electronic Frontier Foundation (EFF), one of the leading online privacy groups, together with the TOR Project, has developed a Firefox extension, which automatically forces HTTPS connections for several major sites that support it. Dubbed HTTPS Everywhere, the add-on allows users to add support for other websites as well by defining custom rulesets.
HTTPS (Hypertext Transfer Protocol Secure) connections are encrypted via the SSL/TLS, in order to prevent third parties from reading the data. Using this protocol is a must when browsing from public wireless networks or other environments, where Man-in-the-Middle (MitM) attacks are easy to mount.
HTTPS is most commonly used on websites that require secure transactions, such as e-commerce or online banking portals. However, in the past two years, the protocol has begun to see implementation for even the most common browsing tasks such as webmail sessions or even Web search.
In fact, "This Firefox extension was inspired by the launch of Google's encrypted search option," Peter Eckersley, a staff technologist for the Electronic Frontier Foundation, notes. "We wanted a way to ensure that every search our browsers sent was encrypted, including the search box and URL bar features. At the same time, we were also able to encrypt most or all of the browser's communications with other popular sites that support SSL, but don't provide it by default," Mike Perry, a core Tor Project developer, explains.
The extension is based on the STS (Strict Transport Security) implementation from NoScript, but, according to its creators, it is a lot more flexible. The STS specification defines a special response header field to be used by websites to tell browsers that all connections should be made over HTTPS.
The problem is that some websites use entirely different URLs for their HTTPS version. For example, Wikipedia's regular http://en.wikipedia.org/wiki/Term URL structure has an https://secure.wikimedia.org/wikipedia/en/wiki/Term correspondent for HTTPS. The extension solves this issue by using special rewrite rules, which support JavaScript regular expressions, as well as exclusions.
HTTPS Everywhere currently supports Google Search, Google Services, Wikipedia, Facebook, Twitter, PayPal, The Washington Post, The New York Times, EFF, Mozilla, Identica, The Tor Project, Duck Duck Go, Ixquick, Scroogle, GentooBugzilla, and Noisebridge. Information for writing custom rules can be found here.
"Note that some of those sites still include a lot of content from third party domains that is not available over HTTPS. As always, if the browser's lock icon is broken or carries an exclamation mark, you may remain vulnerable to some adversaries that use active attacks or traffic analysis," the EFF warns.
Windows Firefox users can download HTTPS Everywhere from here.
Linux Firefox users can download HTTPS Everywhere from here.
Mac Firefox users can download HTTPS Everywhere from here.
You can follow the editor on Twitter @lconstantin.