5 things to note about HTTPS Everywhere

HTTPS (Hypertext Transfer Protocol Secure) Everywhere, a Firefox extension released last year, has matured into a stable, official release with more Web sites now compatible with it and better user interface, according to the Electronic Freedom Frontier (EFF). However, security experts note there are still loopholes to the add-on and users should pay attention when using it.

The EFF, in collaboration with the Tor Project, launched the official 1.0 version of HTTPS Everywhere tool on Aug. 4, just past a year after the first beta version was released in June 2010. According to EFF's blog post, the extension will help secure Internet browsing by encrypting connections to more than 1,000 Web sites.

"HTTPS secures Web browsing by encrypting both requests from your browser to Web sites and the resulting pages that are displayed," said Peter Eckersley, Technology Projects Director at EFF, stated in the blog post.

"EFF created HTTPS Everywhere to make it easier for people to keep their user names passwords and browsing histories secure and private.

The efforts of EFF and Tor Project were lauded by Jason Pearce, sales engineering director at M86 Security Asia-Pacific. He said in his e-mail: "HTTPS Everywhere is a positive thing in terms of its design specification. It will ensure that the user's Web browser will automatically encrypt connections to [supported] Web sites, enhancing users' online privacy and security."

That said, Pearce and other experts ZDNet Asia spoke to identify five things users should take note of while using the security extension.

Not widely supported
One of the challenges HTTPS Everywhere face is there are not enough Web sites supporting the secured HTTP connection, Pearce noted. Currently, the add-on only provides protection to Web sites that have switched to HTTPS such as Facebook and Twitter, he added.

This is reiterated in another EFF blog post which stated that HTTPS Everywhere can only protect users when they use sites that support HTTPS.

To address this issue, the developer suggested users write in to site operators and request they switch over to the secured connection. "If sites you use don't support HTTPS, ask the site operators to add it; only the site operator is able to enable HTTPS," its Web site stated.

Incompatibility persists
However, Ang Poon Wei, ICT security market analyst at IDC Asia-Pacific, explained that companies and Web developers will need convincing to integrate the secured connection feature. This is because they will have to "retrofit" their Web sites to support HTTPS, he said.

"Majority of Web sites currently only use HTTPS for logins or transactions where sensitive data is captured," the analyst stated. "Trying to access a Web site that doesn't or partially supports HTTPS would generate different user experiences."

Citing Facebook as an example, Ang said users will only be able to see portions of the social-networking site where HTTPS is supported while third-party components and applications that do not support HTTPS will be filtered out.

Doesn't eliminate site bugs
According to Eckersley, HTTPS Everywhere "does its utmost" to plug the security gaps for Web sites that are inherently insecure for various reasons.

Having said that, it is out of EFF's hands to make the site secure until operators make the effort to fix the bugs or limitations that exist because of how the site was built, he told ZDNet Asia in a separate interview.

Getting developers to act on these bugs can be tricky though, Eckersley pointed out. "There are problems on sites that are serious yet stealthy, which is why a lot of developers don't know these bugs even exist."

Not a silver bullet
Besides security issues on the site, Ang urged users to understand that HTTPS Everywhere is a tool derived from the HTTPS encryption protocol. Thus, the add-on has the same weaknesses and loopholes inherent in the original system, he said.

"This mean that while [the extension] provides a certain form of security, it is not a silver bullet," the analyst explained.

Ang added that concerns over stolen or modified "certificates" still exist as hackers might decide that the effort to circumvent HTTPS as worth their while.

Don't be complacent
Lastly, people should not rest easy just because they logged on to a site via HTTPS, Pearce cautioned. Even though the initial entry was secured, there might be portions of the site that might be unsecured and will revert back to HTTP, or non-secure browsing, he said.

Additionally, even with security tools such as HTTPS Everywhere, the M86 Security director said the protection does not encompass all portions of a Web site or across all sites people visit while browsing the Internet.

Users should also be careful of downloading security add-ons and do so only if these are from a reputable and trusted source, Pearce stated.