All posts tagged ‘HTTPS’

File Under: Browsers, Security

HTTPS Everywhere 3.0 Secures the Web for Firefox, Chrome Users

The Electronic Frontier Foundation (EFF) has released version 3.0 of its HTTPS Everywhere browser plugin, which will automatically redirect you to secure, HTTPS connections. HTTPS Everywhere 3.0 adds support for 1,500 more websites, twice as many as previous releases.

Firefox users can install HTTPS Everywhere directly from the EFF site. There’s also an alpha release available for Google’s Chrome web browser. Unfortunately, limited add-on APIs mean that HTTPS Everywhere isn’t available for other web browsers.

Once it’s installed, the HTTPS Everywhere extension makes it easy to ensure you’re connecting to secure sites by rewriting all requests to an HTTPS URL whenever you visit one of the thousands of sites HTTPS Everywhere supports.

Why all the fuss about HTTPS? Well, every time you log in to a website through a plain HTTP connection, you expose your data to the world. It’s a bit like writing your username and password on a postcard and dropping it in the mailbox. Think of an HTTPS connection as an envelope to protect your postcard from prying eyes.

The problem gets a bit more complicated than just HTTPS though. Most sites already use HTTPS to handle your login info — that’s a good first step — but once you’re logged in sites often revert back to using an insecure HTTP connection.

So why doesn’t the entire web use HTTPS all the time? The answer is slightly complicated, but the primary reason is speed. HTTPS can’t be cached on CDN networks, which means pages may load slightly slower than they would over standard, insecure connections. For smaller sites the added costs involved with HTTPS certificates make HTTPS more expensive. However neither of those stumbling blocks have stopped Google, Facebook, Twitter, Wikipedia or the thousands of other sites large and small that now offer HTTPS connections.

The EFF is still a long way from its long term goal of encrypting the entire web, but with more sites supporting HTTPS connections every day the web is slowly but surely getting more secure.

File Under: privacy, Security

Why Wait for Google? Use Encrypted Search Today

Google appears to be expanding the use of its encrypted search page, automatically redirecting some Chrome users to the HTTPS version of Google search. The company has also expanded the number of Google search tools that work with the encrypted page to include Google Image Search, Google Instant and Google Instant Preview.

Using Google search over SSL means that your search terms are encrypted, so prying eyes can’t see what you’re searching for, nor can they see the results you get back. Google’s efforts to provide an encrypted search page are just one part of a broader move afoot on the web to shift more traffic over to the more secure HTTPS protocol.

Why all the fuss about HTTPS? Well, every time you search Google or log in to Twitter or Facebook over a plain HTTP connection, you expose your data to the world. It’s a bit like writing your username and password on a postcard and dropping it in the mailbox. There is a better way, the secure version of HTTP — HTTPS. That extra “S” in the URL means your connection is secure, and it’s much harder for anyone else to see what you’re doing. Think of the extra “S” as the envelop that keeps prying eyes from looking at your postcards.

Although the HTTPS version of Google does, in Google’s words, “provide you with a more secure and private search experience,” it’s worth noting that it doesn’t stop Google from tracking your search terms and other data.

Google Operating System, which tracks all things Google, dug up a post on the Google Support Forums where a Google employee says that Google is “running an experiment with some percentage of Chrome 14 users where we send them to SSL search.” That means that some Chrome users may find themselves using the HTTPS search page without even realizing they are.

Chrome 14 is still in beta, so in order for this to affect you, you’ll need to be using the beta channel.

Of course even if you aren’t part of Google’s effort to expand Google Search over SSL, doesn’t mean you can’t configure your browser to use the HTTPS search page by default. Firefox fans can just install the HTTPS Everywhere extension. Chrome and Chromium users can simply right-click the URL bar, choose “edit search engines” and then look for the Google entry. Just click edit, add an “s” to the end of the “http” and you’re done. Internet Explorer users can head to the IE add-ons page and create a new search provider using the form.

Photo: Joffley/Flickr/CC

See Also:

File Under: Browsers, Security, Web Basics

Firefox Security Tool HTTPS Everywhere Hits 1.0

After a year of beta testing the Electronic Frontier Foundation’s HTTPS Everywhere Firefox add-on has reached stable, 1.0 status. The HTTPS Everywhere extension makes it easy to ensure you’re connecting to secure sites by rewriting all requests to an HTTPS URL whenever you visit one of the sites HTTPS Everywhere supports.

If you’re using Firefox, head over to the EFF’s website and install HTTPS Everywhere. If you’re not using Firefox you’re unfortunately out of luck. The limited add-on APIs of browsers like Chrome and Safari mean that HTTPS Everywhere can’t be ported to those platforms (see the HTTPS Everywhere site for more info).

Why all the fuss about HTTPS? Well, every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection, you expose your data to the world. It’s a bit like writing your username and password on a postcard and dropping it in the mailbox.

With HTTPS Everywhere installed, if you type, for example, “twitter.com” in the Firefox URL bar, the browser will automatically connect to https://twitter.com rather than http://twitter.com. Think of an HTTPS connection as an envelope to protect your postcard from prying eyes.

With the 1.0 release, HTTPS Everywhere now supports some 1000 websites, including the web’s most popular like Google Search, Facebook and Wikipedia. One thing to keep in mind though, not every website supported serves all of its content over HTTPS, which can still leave you open to some vulnerabilities (the Chrome web browser now warns when a site serves HTTP content alongside HTTPS, a feature other browsers will hopefully copy).

Still, even if not every website supports HTTPS completely, Firefox with HTTPS Everywhere is more secure than most browser setups. If you’re using Firefox anyway, it’s well worth installing HTTPS Everywhere, particularly if you frequently use wifi networks you don’t control.

Photo: Joffley/Flickr/CC

See Also:

File Under: Identity, Security, Web Basics

EFF Wants to Secure the Web With “HTTPS Now” Campaign

The Electronic Frontier Foundation (EFF) has kicked off a new “HTTPS Now” campaign to educate consumers and help “make web surfing safer.”

The new campaign is a two part effort. First the EFF would like to encourage users to install the HTTPS Everywhere Firefox add-on, which will automatically redirect you to https connections. HTTPS Everywhere makes sure you’re always using a secure connection when you visit Gmail, Twitter and several dozen other sites; you don’t need to worry about checking the URL everytime you login.

While HTTPS Everywhere is a good suggestion for users, the primary thrust of the HTTPS Now campaign is aimed at popular websites. After all, HTTPS Everywhere only works if your favorite sites offer secure connections, and an alarming number of sites do not.

The EFF has partnered with Access, a digital freedom activist group, to create the new HTTPS Now website. The new site will keep track of which sites offer HTTPS connections, how much of the site is secure and whether or not the site mixes secure and insecure content.

Why all the fuss about HTTPS? Well, every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection, you expose your data to the world. It’s a bit like writing your username and password on a postcard and dropping it in the mailbox.

There is a better way, the secure version of HTTP — HTTPS. That extra “S” in the URL means your connection is secure, and it’s much harder for anyone else to see what you’re doing. Think of the extra “S” as the envelop that keeps prying eyes from looking at your postcards.

The problem gets a bit more complicated than just HTTPS though. Most sites already use HTTPS to handle your login info — that’s a good first step — but once you’re logged in the sites often revert back to using an insecure HTTP connection. That means you’re vulnerable to simple attacks like those made possible by the Firesheep Firefox plugin. Firesheep sniffs network traffic and looks for insecure cookies which it then uses to spoof your login credentials to the site. Firesheep allows other people to quickly and easily become you on the web.

So why doesn’t the entire web use HTTPS all the time? The answer is slightly complicated, but the primary reason is speed. HTTPS can’t be cached on CDN networks and there are also some (minor) costs involved with HTTPS certificates.

But obviously neither cost nor minor speed hits have stopped big sites like Twitter, Facebook, Gmail and Flickr from implementing HTTPS. The EFF would like to encourage other sites to follow suit.

If you’d like to see how your favorite sites fair when it comes to protecting your data from traffic snoops, head on over to the HTTPS Now website.

Photo: Joffley/Flickr/CC

See Also: