News and Reviews > Mini-Reviews by Members
EFF's "HTTPS Everywhere" (Firefox/Chrome add-on) - quick review
IainB:
The EFF's Firefox add-on HTTPS Everywhere is available from here.
This follows on from:
Speaking of HTTPS I wan to suggest HTTPS Everywhere from the Electronic Frontier Foundation. It switches to HTTPS for a lot of sites.
-housetier (February 01, 2011, 02:57 PM)
--- End quote ---
The recent and likely future changes to laws imposing censorship and diminishing the user's right to freedom/privacy make it prudent to consider using this kind of tool.
I have been using this add-on for a while now, and it seems to work faultlessly to do what it was designed for.
From the EFF webpage:
HTTPS Everywhere 1.2 has been released, and the project is out of beta. Version 1.x releases include support for over 1,000 new sites, a better UI, and performance improvements. Click here to install it!
HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS. Firefox users can get it by clicking here...
--- End quote ---
You will find more information if you go to the webpage. Its background is interesting.
EDIT: Note that there's now also a Chrome version of the HTTPS Everywhere add-on. (The subject title of this post has been changed to reflect that fact.)
IainB:
"SSL Observatory" looks like a really constructive and potentially very useful research idea.
Note that there's now also a Chrome version of the HTTPS Everywhere add-on.
From the EFF (Electronic Frontier Foundation) Deeplinks blog: HTTPS Everywhere & the Decentralized SSL Observatory
February 29, 2012 | By Peter Eckersley
HTTPS Everywhere & the Decentralized SSL Observatory
Earlier this week we released version 2.0.1 of HTTPS Everywhere for Firefox, and also, a new beta version for Chrome! You can install HTTPS Everywhere here: [link not copied]
Firefox users will find a number of improvements in version 2.0. In addition to support for four hundred more sites, a crisper user interface, and translation into a dozen languages, there is a new optional feature called the Decentralized SSL Observatory. It detects and warns about security vulnerabilities as you browse the Web. Firefox users can turn on this setting from the Tools->HTTPS Everywhere->SSL Observatory Preferences menu, or from the HTTPS Everywhere toolbar button, which looks like this:
[Screenshot of HTTPS Everywhere Firefox toolbar button not copied]
In that Preferences page, check the box marked "Use the Observatory": [Screenshot image not copied]
If you turn on this feature, it will send anonymous copies of certificates for HTTPS websites to EFF's SSL Observatory database, which will allow us to study them and detect problems with the web's cryptographic and security infrastructure. The Decentralized SSL Observatory is also capable of giving real-time warnings about these problems.
At the moment, the Observatory will give warnings if you connect to a router, VPN, firewall or similar device that has an insecure private key due to the random number generator vulnerabilities that were recently discovered by two teams of researchers, using data from the SSL Observatory and other sources. We will be adding more kinds of certificate and key auditing to the Decentralized Observatory in the future.
--- End quote ---
Boydon:
You may also be interested in HTTPS Finder. :)
IainB:
You may also be interested in HTTPS Finder. :)
-Boydon (March 07, 2012, 06:10 AM)
--- End quote ---
Thanks for this @Boydon.
I have only just now got a round tuit and installed HTTPS Finder. I did so because it apparently overcomes this major limitation (from https://www.eff.org/https-everywhere):
HTTPS Everywhere can protect you only when you're using sites that support HTTPS and for which HTTPS Everywhere includes rules. If sites you use don't support HTTPS, ask the site operators to add it; only the site operator is able to enable HTTPS. There is more information and instruction on how server operators can do that in the EFF article How to Deploy HTTPS Correctly.
--- End quote ---
As it says at https://code.google.com/p/https-finder/ :
What is HTTPS Finder?
HTTPS Finder automatically detects and enforces valid HTTPS connections as you browse, as well as automating the rule creation process for HTTPS-Everywhere (instead of having to manually type "https://" in the address bar to test, and writing your own XML rule for it).
The extension sends a small HTTPS request to each HTTP page you browse to. If there is a response, the certificate is checked for validity (any certificate errors will result in no notification, and no further detection requests during that session). If valid, HTTPS is automatically enforced (can be disabled for an alert only, with no redirect), and the user is given an option to save the auto-generated rule for HTTPS Everywhere. It is recommended to create rules whenever possible, as it more securely enforces secure connections.
--- End quote ---
Looks ruddy brilliant. Let's see how it works in practice.
I am now running a suck-it-and-see trial of HTTPS Finder.
ewemoa:
As I didn't succeed in turning up a ruleset for DC, I made an attempt as follows...
I put the following in a file named DonationCoder.xml within the HTTPSEverywhereUserRules subdirectory of my profile directory and restarted FF -- so far it looks like it's working:
--- Code: Text ---<ruleset name="DonationCoder"> <target host="www.donationcoder.com" /> <target host="donationcoder.com" /> <rule from="^http://(www\.)?donationcoder\.com/" to="https://donationcoder.com/"/></ruleset>
Navigation
[0] Message Index
[#] Next page
Go to full version