HTTPS Everywhere

Last updated

HTTPS Everywhere
Developer(s) Electronic Frontier Foundation and The Tor Project
Stable release
2022.5.24 / May 25, 2022;10 months ago (2022-05-25) [1] [2]
Repository
Written in JavaScript, Python
Platform Firefox for Android
Google Chrome
Mozilla Firefox
Opera
Vivaldi
Microsoft Edge
Type Browser extension
License GNU GPL v3+ (most code is v2 compatible) [3]
Website www.eff.org/https-everywhere
As ofApril 2014

HTTPS Everywhere is a discontinued free and open-source browser extension for Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Brave, Vivaldi and Firefox for Android, which is developed collaboratively by The Tor Project and the Electronic Frontier Foundation (EFF). [4] It automatically makes websites use a more secure HTTPS connection instead of HTTP, if they support it. [5] The option "Encrypt All Sites Eligible" makes it possible to block and unblock all non-HTTPS browser connections with one click. [6] Due to the widespread adoption of HTTPS on the World Wide Web, and the integration of HTTPS-only mode on major browsers, the extension was retired in January 2023. [7]

Contents

Development

HTTPS Everywhere was inspired by Google's increased use of HTTPS [8] and is designed to force the usage of HTTPS automatically whenever possible. [9] The code, in part, is based on NoScript's HTTP Strict Transport Security implementation, but HTTPS Everywhere is intended to be simpler to use than No Script's forced HTTPS functionality which requires the user to manually add websites to a list. [4] The EFF provides information for users on how to add HTTPS rulesets to HTTPS Everywhere, [10] and information on which websites support HTTPS. [11]

Platform support

A public beta of HTTPS Everywhere for Firefox was released in 2010, [12] and version 1.0 was released in 2011. [13] A beta for Chrome was released in February 2012. [14] In 2014, a version was released for Android phones. [15]

SSL Observatory

The SSL Observatory is a feature in HTTPS Everywhere introduced in version 2.0.1 [14] which analyzes public key certificates to determine if certificate authorities have been compromised, [16] and if the user is vulnerable to man-in-the-middle attacks. [17] In 2013, the ICANN Security and Stability Advisory Committee (SSAC) noted that the data set used by the SSL Observatory often treated intermediate authorities as different entities, thus inflating the number of certificate authorities. The SSAC criticized SSL Observatory for potentially significantly undercounting internal name certificates, and noted that it used a data set from 2010. [18]

Continual Ruleset Updates

The update to Version 2018.4.3, shipped on 3 April 2018, introduces the "Continual Ruleset Updates" function. [19] To apply up-to-date https-rules, this update function executes one rule-matching within 24 hours. A website called https-rulesets was built by the EFF for this purpose. [20] This automated update function can be disabled in the add-on settings. Prior to the update- mechanism there have been ruleset-updates only through app-updates. Even after this feature was implemented there are still bundled rulesets shipped within app-updates.

Reception

Two studies have recommended building HTTPS Everywhere functionality into Android browsers. [21] [22] In 2012, Eric Phetteplace described it as "perhaps the best response to Firesheep-style attacks available for any platform". [23] In 2011, Vincent Toubiana and Vincent Verdot pointed out some drawbacks of the HTTPS Everywhere add-on, including that the list of services which support HTTPS needs maintaining, and that some services are redirected to HTTPS even though they are not yet available in HTTPS, not allowing the user of the extension to get to the service. [24] Other criticisms are that users may be misled to believe that if HTTPS Everywhere does not switch a site to HTTPS, it is because it does not have an HTTPS version, while it could be that the site manager has not submitted an HTTPS ruleset to the EFF, [25] and that because the extension sends information about the sites the user visits to the SSL Observatory, this could be used to track the user. [25]

Legacy

HTTPS Everywhere initiative inspired opportunistic encryption alternatives:

See also

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Web browser</span> Software used to navigate the internet

A web browser is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on a range of devices, including desktops, laptops, tablets, and smartphones. In 2020, an estimated 4.9 billion people have used a browser. The most used browser is Google Chrome, with a 65% global market share on all devices, followed by Safari with 18%.

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

<span class="mw-page-title-main">Firefox</span> Free and open-source web browser by Mozilla

Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and anticipated web standards. In November 2017, Firefox began incorporating new technology under the code name "Quantum" to promote parallelism and a more intuitive user interface. Firefox is available for Windows 7 and later versions, macOS, and Linux. Its unofficial ports are available for various Unix and Unix-like operating systems, including FreeBSD, OpenBSD, NetBSD, illumos, and Solaris Unix. It is also available for Android and iOS. However, as with all other iOS web browsers, the iOS version uses the WebKit layout engine instead of Gecko due to platform requirements. An optimized version is also available on the Amazon Fire TV as one of the two main browsers available with Amazon's Silk Browser.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.

Xcitium, formerly known as Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey.

NoScript is a free and open-source extension for Firefox- and Chromium-based web browsers, written and maintained by Giorgio Maone, an Italian software developer and member of the Mozilla Security Group.

Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt communications channels, otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC3546.

<span class="mw-page-title-main">Google Chrome</span> Web browser developed by Google

Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

Encrypted Media Extensions (EME) is a W3C specification for providing a communication channel between web browsers and the Content Decryption Module (CDM) software which implements digital rights management (DRM). This allows the use of HTML5 video to play back DRM-wrapped content such as streaming video services without the use of heavy third-party media plugins like Adobe Flash or Microsoft Silverlight. The use of a third-party key management system may be required, depending on whether the publisher chooses to scramble the keys.

<span class="mw-page-title-main">Privacy Badger</span> Browser extension

Privacy Badger is a free and open-source browser extension for Google Chrome, Mozilla Firefox, Opera, and Firefox for Android created by the Electronic Frontier Foundation (EFF). Its purpose is to promote a balanced approach to internet privacy between consumers and content providers by blocking advertisements and tracking cookies that do not respect the Do Not Track setting in a user's web browser. A second purpose, served by free distribution, has been to encourage membership in and donation to the EFF.

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used by more than 300 million websites, with the goal of all websites being secure and using HTTPS. The Internet Security Research Group (ISRG), the provider of the service, is a public benefit organization. Major sponsors include the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Cisco Systems, Facebook, Google Chrome, Internet Society, AWS, NGINX, and Bill and Melinda Gates Foundation. Other partners include the certificate authority IdenTrust, the University of Michigan (U-M), and the Linux Foundation.

<span class="mw-page-title-main">Peter Eckersley (computer scientist)</span> Australian computer scientist (1978/1979–2022)

Peter Daniel Eckersley was an Australian computer scientist, computer security researcher and activist. From 2006 to 2018, he worked at the Electronic Frontier Foundation, including as chief computer scientist and head of AI policy. In 2018, he left the EFF to become director of research at the Partnership on AI, a position he held until 2020. In 2021, he co-founded the AI Objectives Institute.

Version history for TLS/SSL support in web browsers tracks the implementation of Transport Layer Security protocol versions in major web browsers.

References

  1. "Changelog.txt". Electronic Frontier Foundation . Retrieved 27 June 2019.
  2. "Releases · EFForg/https-everywhere". GitHub . Retrieved 16 June 2018.
  3. HTTPS Everywhere Development Electronic Frontier Foundation
  4. 1 2 "HTTPS Everywhere". Electronic Frontier Foundation . Retrieved 14 April 2014.
  5. "HTTPS Everywhere reaches 2.0, comes to Chrome as beta". H-online.com . 29 February 2012. Retrieved 14 April 2014.
  6. "HTTPS Everywhere Changelog".
  7. Update on HTTPS Everywhere, Electronic Frontier Foundation, 12 January 2023, retrieved 12 January 2023
  8. "Automatic web encryption (almost) everywhere - The H Open Source: News and Features". H-online.com. 18 June 2010. Archived from the original on 23 June 2010. Retrieved 15 April 2014.
  9. Murphy, Kate (16 February 2011). "New Hacking Tools Pose Bigger Threats to Wi-Fi Users". The New York Times .
  10. "HTTPS Everywhere Rulesets". Electronic Frontier Foundation. 24 January 2014. Retrieved 19 May 2014.
  11. "HTTPS Everywhere Atlas". Electronic Frontier Foundation . Retrieved 24 May 2014.
  12. Mills, Elinor (18 June 2010). "Firefox add-on encrypts sessions with Facebook, Twitter". CNET . Retrieved 14 April 2014.
  13. Gilbertson, Scott (5 August 2011). "Firefox Security Tool HTTPS Everywhere Hits 1.0". Wired . Retrieved 14 April 2014.
  14. 1 2 Eckersley, Peter (29 February 2012). "HTTPS Everywhere & the Decentralized SSL Observatory". Electronic Frontier Foundation . Retrieved 4 June 2014.
  15. Brian, Matt (27 January 2014). "Browsing on your Android phone just got safer, thanks to the EFF". Engadget . Retrieved 14 April 2014.
  16. Lemos, Robert (21 September 2011). "EFF builds system to warn of certificate breaches". InfoWorld . Retrieved 14 April 2014.
  17. Vaughan, Steven J. (28 February 2012). "New 'HTTPS Everywhere' Web browser extension released". ZDNet . Retrieved 14 April 2014.
  18. "1 SSAC Advisory on Internal Name Certificates" (PDF). ICANN Security and Stability Advisory Committee (SSAC). 15 March 2013.
  19. Abrams, Lawrence (5 April 2018). "HTTPS Everywhere Now Delivers New Rulesets Without Upgrading Extension". BleepingComputer.
  20. www.https-rulesets.org https://www.https-rulesets.org/ . Retrieved 12 September 2022.{{cite web}}: Missing or empty |title= (help)
  21. Fahl, Sascha; et al. "Why Eve and Mallory love Android: An analysis of Android SSL (in)security" (PDF). Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, 2012. Archived from the original (PDF) on 8 January 2013.
  22. Davis, Benjamin; Chen, Hao (2013). "Retro Skeleton". Proceedings of the 11th annual international conference on Mobile systems, applications, and services - Mobi Sys '13 (published June 2013). pp. 181–192. doi:10.1145/2462456.2464462. ISBN   9781450316729. S2CID   668399.
  23. Kern, M. Kathleen, and Eric Phetteplace. "Hardening the browser." Reference & User Services Quarterly 51.3 (2012): 210-214. http://eprints.rclis.org/16837/
  24. Toubiana, Vincent; Verdot, Vincent (2011). "Show Me Your Cookie And I Will Tell You Who You Are". arXiv: 1108.5864 [cs.CR].
  25. 1 2 "Time to stop recommending HTTPS Everywhere? : privacytoolsIO". 28 January 2017.
  26. "Firefox Focus on Android now includes an HTTPS-only mode". Engadget. Retrieved 24 December 2022.
  27. "Firefox for Android now has a toggle for HTTPS-Only mode - gHacks Tech News". gHacks Technology News. 29 April 2022. Retrieved 24 December 2022.
  28. Bradshaw, Kyle (29 June 2021). "Google Chrome to offer 'HTTPS-Only Mode'". 9to5Google. Retrieved 13 September 2022.
  29. "Google Chrome will get an HTTPS-Only Mode for secure browsing". BleepingComputer. Retrieved 13 September 2022.
  30. Kerschbaumer, Christoph; Gaibler, Julian; Edelstein, Arthur; Merwe, Thyla van der. "Firefox 83 introduces HTTPS-Only Mode". Mozilla Security Blog. Retrieved 3 December 2020.
  31. "HTTPS Everywhere FAQ". Electronic Frontier Foundation. 7 November 2016. Retrieved 3 December 2020.
  32. claustromaniac (10 October 2020), claustromaniac/httpz , retrieved 3 December 2020
  33. "Smart HTTPS (revived) repository · Issue #12 · ilGur1132/Smart-HTTPS". GitHub. Retrieved 3 December 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.