topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday March 29, 2024, 7:51 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: EFF's "HTTPS Everywhere" (Firefox/Chrome add-on) - quick review  (Read 13032 times)

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
The EFF's Firefox add-on HTTPS Everywhere is available from here.
This follows on from:
Speaking of HTTPS I wan to suggest HTTPS Everywhere from the Electronic Frontier Foundation. It switches to HTTPS for a lot of sites.
The recent and likely future changes to laws imposing censorship and diminishing the user's right to freedom/privacy make it prudent to consider using this kind of tool.
I have been using this add-on for a while now, and it seems to work faultlessly to do what it was designed for.

From the EFF webpage:
HTTPS Everywhere 1.2 has been released, and the project is out of beta. Version 1.x releases include support for over 1,000 new sites, a better UI, and performance improvements. Click here to install it!

HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS. Firefox users can get it by clicking here...
You will find more information if you go to the webpage. Its background is interesting.

EDIT: Note that there's now also a Chrome version of the HTTPS Everywhere add-on. (The subject title of this post has been changed to reflect that fact.)
« Last Edit: March 01, 2012, 04:42 PM by IainB, Reason: Updated 2012-03-02 1131hrs (see \"EDIT\"). »

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: HTTPS Everywhere (Firefox add-on) - quick review
« Reply #1 on: March 01, 2012, 04:28 PM »
"SSL Observatory" looks like a really constructive and potentially very useful research idea.
Note that there's now also a Chrome version of the HTTPS Everywhere add-on.

From the EFF (Electronic Frontier Foundation) Deeplinks blog: HTTPS Everywhere & the Decentralized SSL Observatory

February 29, 2012 | By Peter Eckersley
HTTPS Everywhere & the Decentralized SSL Observatory

Earlier this week we released version 2.0.1 of HTTPS Everywhere for Firefox, and also, a new beta version for Chrome! You can install HTTPS Everywhere here: [link not copied]

Firefox users will find a number of improvements in version 2.0. In addition to support for four hundred more sites, a crisper user interface, and translation into a dozen languages, there is a new optional feature called the Decentralized SSL Observatory. It detects and warns about security vulnerabilities as you browse the Web. Firefox users can turn on this setting from the Tools->HTTPS Everywhere->SSL Observatory Preferences menu, or from the HTTPS Everywhere toolbar button, which looks like this:
[Screenshot of HTTPS Everywhere Firefox toolbar button not copied]

In that Preferences page, check the box marked "Use the Observatory": [Screenshot image not copied]

If you turn on this feature, it will send anonymous copies of certificates for HTTPS websites to EFF's SSL Observatory database, which will allow us to study them and detect problems with the web's cryptographic and security infrastructure. The Decentralized SSL Observatory is also capable of giving real-time warnings about these problems.

At the moment, the Observatory will give warnings if you connect to a router, VPN, firewall or similar device that has an insecure private key due to the random number generator vulnerabilities that were recently discovered by two teams of researchers, using data from the SSL Observatory and other sources. We will be adding more kinds of certificate and key auditing to the Decentralized Observatory in the future.

Boydon

  • Supporting Member
  • Joined in 2010
  • **
  • default avatar
  • Posts: 24
    • View Profile
    • Donate to Member
Re: EFF's "HTTPS Everywhere" (Firefox/Chrome add-on) - quick review
« Reply #2 on: March 07, 2012, 06:10 AM »
You may also be interested in HTTPS Finder. :)

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: EFF's "HTTPS Everywhere" (Firefox/Chrome add-on) - quick review
« Reply #3 on: March 13, 2012, 04:25 AM »
You may also be interested in HTTPS Finder. :)
Thanks for this @Boydon.
I have only just now got a round tuit and installed HTTPS Finder. I did so because it apparently overcomes this major limitation (from https://www.eff.org/https-everywhere):
HTTPS Everywhere can protect you only when you're using sites that support HTTPS and for which HTTPS Everywhere includes rules. If sites you use don't support HTTPS, ask the site operators to add it; only the site operator is able to enable HTTPS. There is more information and instruction on how server operators can do that in the EFF article How to Deploy HTTPS Correctly.

As it says at https://code.google.com/p/https-finder/ :
What is HTTPS Finder?
HTTPS Finder automatically detects and enforces valid HTTPS connections as you browse, as well as automating the rule creation process for HTTPS-Everywhere (instead of having to manually type "https://" in the address bar to test, and writing your own XML rule for it).

The extension sends a small HTTPS request to each HTTP page you browse to. If there is a response, the certificate is checked for validity (any certificate errors will result in no notification, and no further detection requests during that session). If valid, HTTPS is automatically enforced (can be disabled for an alert only, with no redirect), and the user is given an option to save the auto-generated rule for HTTPS Everywhere. It is recommended to create rules whenever possible, as it more securely enforces secure connections.
Looks ruddy brilliant. Let's see how it works in practice.

I am now running a suck-it-and-see trial of HTTPS Finder.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: EFF's "HTTPS Everywhere" (Firefox/Chrome add-on) - quick review
« Reply #4 on: July 03, 2012, 03:18 AM »
As I didn't succeed in turning up a ruleset for DC, I made an attempt as follows...

I put the following in a file named DonationCoder.xml within the HTTPSEverywhereUserRules subdirectory of my profile directory and restarted FF -- so far it looks like it's working:

Code: Text [Select]
  1. <ruleset name="DonationCoder">
  2.   <target host="www.donationcoder.com" />
  3.   <target host="donationcoder.com" />
  4.  
  5.   <rule from="^http://(www\.)?donationcoder\.com/" to="https://donationcoder.com/"/>
  6. </ruleset>

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: EFF's "HTTPS Everywhere" (Firefox/Chrome add-on) - quick review
« Reply #5 on: July 03, 2012, 12:09 PM »
@ewemoa: That's nifty, thanks!      :Thmbsup:

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: EFF's "HTTPS Everywhere" (Firefox/Chrome add-on) - quick review
« Reply #6 on: July 03, 2012, 12:50 PM »
Strange I didn't know donationcoder.com had https ?

Edit: Plus a limitation - I posted the above note but when I look at unread posts it still appeared - I read ti again thinking someone had posted a response and yet it was still marked as unread - obviously https doesn't play nicely with SMF ???

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: EFF's "HTTPS Everywhere" (Firefox/Chrome add-on) - quick review
« Reply #7 on: July 03, 2012, 05:11 PM »
Edit: Plus a limitation - I posted the above note but when I look at unread posts it still appeared - I read ti again thinking someone had posted a response and yet it was still marked as unread - obviously https doesn't play nicely with SMF ???
-Carol Haynes (July 03, 2012, 12:50 PM)

I think I experience this as well.  FWIW, I've been using https / SSL with DC for a bit and IIRC it wasn't always this way.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: EFF's "HTTPS Everywhere" (Firefox/Chrome add-on) - quick review
« Reply #8 on: July 03, 2012, 05:13 PM »
thanks!

Sure thing :)

Now if this ruleset could get merged into the defaults, we won't have to go through manual set up ;)