18

I would like to know if one should use 'HTTPS everywhere' extension? Is it secure to use it? Are there any better alternatives?

HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. Encrypt the web: Install HTTPS Everywhere today.

Rob W
  • 2,113
  • 18
  • 20
vaichidrewar
  • 283
  • 1
  • 2
  • 6
  • 2
    This seems a bit vague to me. In what sense do you want us to determine HTTPS Everywhere to be secure? What measure might qualify any alternatives to be "better"? – Iszi Jun 26 '12 at 16:29
  • Does the extension really do anything in-and-of-itself besides redirecting from `http://x` to `https://x` where `x` matches some site from a provided list that has opt-in HTTPS? (I have no experience with the add-on, so no real clue) – Nick T Nov 05 '13 at 18:50
  • @NickT That's pretty much it, yes. – forest Mar 30 '19 at 03:39

5 Answers5

13

EFF is a highly respected organization dedicated to protecting privacy in electronic communications. It would be against their interests to jeopardize people's privacy through their products.

  • 2
    +1 EFF are a highly ethical and respected organisation and you should trust them. – Mark Hillick Jun 26 '12 at 08:36
  • 4
    Their ethic may not be questionable, but what about their competence? – curiousguy Jun 26 '12 at 20:00
  • @curiousguy That's an absolutely valid question, and it does seem that, for a few years at least, they were even listed on the Plaintext Offenders websites! However, HTTPS Everywhere is a community maintained and actively developed extension with a solid reputation. – forest Mar 30 '19 at 03:40
4

You can also use NoScript to ensure your connections are over https. NoScript also comes with a tonne of other defences that include XSS protection, Clickjacking detection, ABE (kinda like a firewall in your browser) and many more. NoScript has been around for years and it's highly regarded and respected.

Mark Hillick
  • 2,124
  • 11
  • 14
  • NoScript has HTTPS enforcement on selected domains, but does it have URL rewriting? – curiousguy Jun 26 '12 at 09:06
  • Not afaik, it forces the connection to use https as you say. I don't believe it ensures a HTTPS connection as well as the EFF solution but it is an alternative :) – Mark Hillick Jun 26 '12 at 09:22
2

As I replied before, you should understand that you can still use SSLstrip against HTTPS Everywhere. By searching a bit, I also came across this link and this test (related to the previous link), it seems that HTTPSEverywhere does not protect you against spoofing attacks. Related to this topic, I could also find this one which contains a lot of good information, and this one on how to protect from sslstrip attacks.

Have fun reading ;)

AdventN
  • 411
  • 2
  • 4
1

I think this extension is quite simple and generally safe to use for two reasons:

Firstly, on Q. When does HTTPS Everywhere protect me? When does it not protect me? section on HTTPS Everywhere website FAQ page

HTTPS Everywhere depends entirely on the security features of the individual web sites that you use; it activates those security features, but it can't create them if they don't already exist.

This means the extension simply turn on HTTPS automatically if possible and does not communicate between the user's browser and the website.

Secondly, it is open sourced and the source code is public. It means anyone can access and read how the extension works if possible.

However, in my opinion, the description of the extension seems misleading, because it claims to 'encrypts your communications' on their website. This extension simply switches from http to https if possible and doesn't do anything with the transmission of the data.

baxang
  • 111
  • 2
  • By switching from http to https, the communication (transport) *is* encrypted. What's misleading about that? – Rob W Mar 24 '15 at 09:48
  • @RobW I said misleading because what HTTP Everywhere does is turning on the encryption, but actually perform encryption. IMHO, their description I quoted in the answer can mislead people to understand the extension can encrypts if the website they are using doesn't support SSL. – baxang Mar 25 '15 at 06:04
0

HTTPS Everywhere is a great feature but the issue I see is that it have dependency on the user browser and type of browser. Moreover if will be really tough to manage mobile and tablets browser.

It will be ideal if we handle HTTPS enforcement from your server itself. If you are hosting a very confidential portal, then you can go for secure session for all the pages (servlets etc) else you can enforce them on particular pages as well. I think we are bound to ensure the transport layer security when ever it is required from the server side itself. Hence pages where login/authenticate or confidential user data is displayed should be protected using HTTPS and the calling the link using HTTP should be denied by the server.

Sometimes it makes a sense not to enforce secure session for all pages or data for example images, as the session overhead will consume more bandwidth both for client and server.

As far security of HTTPS Everywhere is concerned, It could be secured but than you can't rely on its behavior and properties for security enforcement. Both ways you need to ensure that confidential pages or authentication pages have to go through HTTPS channel which is enforced from your server.

Mohit Sethi
  • 692
  • 4
  • 7