On June 17th 2010, EFF and the TOR project released the Firefox extension HTTPS Everywhere. There are thousands of Firefox extensions. Almost all of which I couldn't care less about. I have no interest in clogging up my browser with additional icons, buttons & menu items. That do something that Firefox already does in a slightly different way. Or will save you 1 mouse click in 10, for a function you don't use anyway. Or even worse attempt to make a browser the only piece of software on your computer. I don't want a browser that is an FTP client, a mail client, a diary, a kitchen sink. All I want a browser to be, is a browser. I know a browser can do all these things (except a kitchen sink) but a browser doesn't do these things well. That's my opinion anyway. So I avoid installing plug-ins and extensions for the sake of it. HTTPS everywhere is not one of those extensions.
Any extension that improves security is worth a look at. The principle of HTTPS Everywhere is simple, when you visit a supported website you load the HTTPS version. This means the content is encrypted. No-one can sniff your traffic. Not your ISP, that's the company interested in selling your browsing activities to marketing companies as an additional revenue stream. Not the government, where the nanny state has run a mock and cannot be trusted to keep it's noise out of your business. Not a criminal, who is attempting to profit from account credentials or hijacking sessions. All in an attempt to help you, by lightening your bank account.
You may have thought your data, your traffic was encrypted all along. It isn't, encryption is an additional burden that the sites you visit have avoided. Your traffic can currently be viewed unless you are connected via HTTPS. How can you tell? Check your address bar, yes grandma the long thin bar at the top of your browser. If the address starts with HTTP, with no S the session is not encrypted. If it start with HTTPS it is, it's that simple.
There is a light at the end of the tunnel, in this day and age many sites do support HTTPS for all their content. By default your browser still looks for the unsecure HTTP content unless told to do otherwise. That's what HTTPS Everywhere does. It forces the supported sites for which currently there are few. To use HTTPS. The ISP, the nanny state & the criminals can still see which server you are connected to. But they don't know what you are doing there. On big sites like Google or Wikipedia this offers considerable privacy protection. As you could literally be doing anything there. On a XXX server it's a bit more obvious. Although they still don't know exactly what you are browsing. Most small sites are on shared hosting, one server many sites. In which case they wouldn't even know what site you are on. Let alone what your doing there.
The extension version is only 0.2.2. So it is young and few sites are currently supported. The good news is that more will be supported over time. After all this extension was originally inspired by the launch of Google's encrypted search option. Yes Google didn't want others to see what you were searching for. I think they did that for a different reason though. They wanted control of who would have access to this information, THEM. But that's another article.
Currently supported sites:
- Google Search
- Google API's
- Google Services
- Wikipedia
- Amazon (most of)
- GMX
- Wordpress.com blogs
- The New York Times
- The Washington Post
- Paypal
- EFF
- Tor
- Ixquick
- DuckDuckGo
- Identica
- Live
- Mail.com
- Meebo
- Microsoft
- Mozilla
- NL Overheid
- Scroogle
- Gentoo Bugzilla
- Noisebridge
- Zoho
You might think that's a pretty short list and your right, it is a short list. But on the list we have mail providers, search engines, blogs, micro blogs, newspapers, shops, social networks, software vendors, hackspaces, Wikipedia, payment providers. Basically a bit of everything. Including some very big names. As is often the case, big names lead the way. Google, Paypal, Twittter, Facebook, Microsoft and Wikipedia are the biggest at what they do. If they are supporting 100% HTTPS, then others will follow.
What's even better is YOU can write your own rules. The EFF have a guide on their website that shows you how https://www.eff.org/https-everywhere/rulesets. The rulesets are a simple XML file. Do bear in mind, you can only write a rule for a site that supports HTTPS.
That about wraps up HTTPS Everywhere extension for Firefox. Until next time.
Two more Firefox extensions to do with Secure Sockets Layer / Transport Layer Security https:// encrypted web sessions, which are worth considering:
CipherFox
You van also optionally control the use of the Alleged RC4 cipher, which many people think is too weak for modern day use.
It is interesting to see which cryptographic ciphers a particular website / web browser combination actually uses in practice e.g. very few use the Camellia cipher which is now supported by Firefox and GNU PG and some Open PGP software as an alternative to the standard AES. e.g. https://chat.wikileaks.org/
Obviously you do not want to be a victim of a weak SSL v2 or a weak 40 bit (or even null zero bit) encryption downgrade attack, which are still allowed in the standards, but which offer no practical protection these days.
Also useful, given the recent publicity about top level Certificate Authorities coming under Government pressure is Certificate Patrol which will warn you if a web site's Digital Certificate changes unexpectedly, which may be a warning of a Man-in-the-Middle attack or other suspicious Certificate Authority tampering.