All posts tagged ‘HTTPS Everwhere’

File Under: Browsers, Security, Web Basics

Firefox Security Tool HTTPS Everywhere Hits 1.0

After a year of beta testing the Electronic Frontier Foundation’s HTTPS Everywhere Firefox add-on has reached stable, 1.0 status. The HTTPS Everywhere extension makes it easy to ensure you’re connecting to secure sites by rewriting all requests to an HTTPS URL whenever you visit one of the sites HTTPS Everywhere supports.

If you’re using Firefox, head over to the EFF’s website and install HTTPS Everywhere. If you’re not using Firefox you’re unfortunately out of luck. The limited add-on APIs of browsers like Chrome and Safari mean that HTTPS Everywhere can’t be ported to those platforms (see the HTTPS Everywhere site for more info).

Why all the fuss about HTTPS? Well, every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection, you expose your data to the world. It’s a bit like writing your username and password on a postcard and dropping it in the mailbox.

With HTTPS Everywhere installed, if you type, for example, “twitter.com” in the Firefox URL bar, the browser will automatically connect to https://twitter.com rather than http://twitter.com. Think of an HTTPS connection as an envelope to protect your postcard from prying eyes.

With the 1.0 release, HTTPS Everywhere now supports some 1000 websites, including the web’s most popular like Google Search, Facebook and Wikipedia. One thing to keep in mind though, not every website supported serves all of its content over HTTPS, which can still leave you open to some vulnerabilities (the Chrome web browser now warns when a site serves HTTP content alongside HTTPS, a feature other browsers will hopefully copy).

Still, even if not every website supports HTTPS completely, Firefox with HTTPS Everywhere is more secure than most browser setups. If you’re using Firefox anyway, it’s well worth installing HTTPS Everywhere, particularly if you frequently use wifi networks you don’t control.

Photo: Joffley/Flickr/CC

See Also:

File Under: Identity, Security, Web Basics

EFF Wants to Secure the Web With “HTTPS Now” Campaign

The Electronic Frontier Foundation (EFF) has kicked off a new “HTTPS Now” campaign to educate consumers and help “make web surfing safer.”

The new campaign is a two part effort. First the EFF would like to encourage users to install the HTTPS Everywhere Firefox add-on, which will automatically redirect you to https connections. HTTPS Everywhere makes sure you’re always using a secure connection when you visit Gmail, Twitter and several dozen other sites; you don’t need to worry about checking the URL everytime you login.

While HTTPS Everywhere is a good suggestion for users, the primary thrust of the HTTPS Now campaign is aimed at popular websites. After all, HTTPS Everywhere only works if your favorite sites offer secure connections, and an alarming number of sites do not.

The EFF has partnered with Access, a digital freedom activist group, to create the new HTTPS Now website. The new site will keep track of which sites offer HTTPS connections, how much of the site is secure and whether or not the site mixes secure and insecure content.

Why all the fuss about HTTPS? Well, every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection, you expose your data to the world. It’s a bit like writing your username and password on a postcard and dropping it in the mailbox.

There is a better way, the secure version of HTTP — HTTPS. That extra “S” in the URL means your connection is secure, and it’s much harder for anyone else to see what you’re doing. Think of the extra “S” as the envelop that keeps prying eyes from looking at your postcards.

The problem gets a bit more complicated than just HTTPS though. Most sites already use HTTPS to handle your login info — that’s a good first step — but once you’re logged in the sites often revert back to using an insecure HTTP connection. That means you’re vulnerable to simple attacks like those made possible by the Firesheep Firefox plugin. Firesheep sniffs network traffic and looks for insecure cookies which it then uses to spoof your login credentials to the site. Firesheep allows other people to quickly and easily become you on the web.

So why doesn’t the entire web use HTTPS all the time? The answer is slightly complicated, but the primary reason is speed. HTTPS can’t be cached on CDN networks and there are also some (minor) costs involved with HTTPS certificates.

But obviously neither cost nor minor speed hits have stopped big sites like Twitter, Facebook, Gmail and Flickr from implementing HTTPS. The EFF would like to encourage other sites to follow suit.

If you’d like to see how your favorite sites fair when it comes to protecting your data from traffic snoops, head on over to the HTTPS Now website.

Photo: Joffley/Flickr/CC

See Also:

File Under: Browsers, Security

Secure Firefox With New HTTPS Everywhere Add-on

Earlier this year, the Firefox add-on Firesheep created quite a controversy by making it easy to capture unencrypted web traffic.

Firesheep sniffs unencrypted cookies sent across open wi-fi networks. That means anyone with Firesheep installed can watch your browsing sessions while you lounge at Starbucks and grab your log-in credentials for Facebook, Twitter or other popular sites. Armed with those credentials, anyone using Firesheep can essentially masquerade as you all over the web, logging in to other social sites, blogs and news sites using your Facebook or Twitter username and password.

None of Firesheep’s mechanisms are new. But Firesheep made sniffing web traffic point-and-click simple — it was suddenly dead easy to do something that used to require a good bit of hacking knowledge.

The best way to protect yourself from Firesheep is simply avoid connecting to unencrypted sites when you’re on an open wi-fi network. That means making sure that you connect over HTTPS rather than HTTP everywhere you surf. But sadly, doing so is complicated and depends on which site you’re trying to connect to.

That’s where the Electronic Frontier Foundation’s HTTPS Everywhere Firefox add-on comes in. The extension makes it easy to ensure you’re connecting to secure sites by rewriting all requests to an HTTPS URL whenever you visit one of the sites it supports.

Of course if the website you’d like to visit doesn’t support HTTPS, there’s nothing the add-on can do, but for many big sites — Twitter, Facebook, Google, PayPal, The New York Times, Bit.ly, Amazon — HTTPS Everywhere automates the process for you.

With HTTPS Everywhere installed, if you type “twitter.com” in the Firefox URL bar, the browser will automatically connect to https://twitter.com rather than http://twitter.com.

That’s a good start, but it won’t completely protect you from anyone sniffing with Firesheep. The latest beta release of HTTPS Everywhere, released over the long weekend, improves the add-on’s protection against Firesheep, but you’ll need to do some extra stuff.

First, head the HTTPS Everywhere preferences (Tools -> Add Ons -> HTTPS Everywhere -> Preferences) and check the “Facebook+” rule. Then install the Adblock Plus extension and use it to block the insecure http:// advertisements and tracking sites that Facebook (and other sites) sometimes include. There are more instructions on the EFF’s site.

Now you can browse Facebook at the coffee shop in relative peace. Certain parts of Facebook may not work properly — some applications can’t use HTTPS, and the chat app won’t work — but at least you aren’t broadcasting your login credentials to anyone who wants to listen. The EFF says it has alerted Facebook to the incompatibilities, and that it’s waiting for Facebook to fix them.

See Also: