The EFF releases new HTTPS Everywhere Firefox extension

The EFF releases new HTTPS Everywhere Firefox extension

Summary: The Electronic Frontier Foundation, in a cooperation with the Tor Project, has released a beta version of the "HTTPS Everywhere" Firefox extension, forcing full-session SSL on sites such as Twitter, Facebook and Wikipedia. Does "HTTPS Everywhere" really mean "Privacy Everywhere"?

SHARE:
TOPICS: Security, Networking
16

The Electronic Frontier Foundation, in a cooperation with the Tor Project, has released a beta version of the "HTTPS Everywhere" Firefox extension.

The extension helps users encrypt their traffic to a small, but growing number of high profile sites, by forcing full-session HTTPS connections.

According to the EFF's announcement, the extension currently works on the following sites:

  • Google Search, Wikipedia, Twitter, Facebook, The New York Times, The Washington Post, Paypal, EFF, Tor, Ixquick

Does "HTTPS Everywhere" really mean "Privacy Everywhere"? Not necessarily, and here's why it may leave a lot of users with a false feeling of privacy:

  • Full-session HTTPS may prevent interception of some of your activities -- unless of course there's a weak link somewhere -- however, it doesn't hide your IP, doesn't use any sort of mixing tactics, potentially allowing the leak of personally identifiable information to Google, and doesn't prevent alternative tracking activities from taking place
  • Broken SSL sessions displaying unencrypted third party content, allow active tracking and monitoring to take place as well
  • Forcing a full-session on a popular social networking service such as Facebook for instance, without taking into consideration the fact that SSL would not magically make all the personally identifiable information, including your IP, disappear, is wrong. Full-session SSL, in combination with tools such as Vanish (see a related video), next to Tor-like/VPN based anonymity network, are great for a fresh start

It's great to see that the EFF is also emphasizing on the insecure third-party content issue:

As always, even if you're at an HTTPS page, remember that unless Firefox displays a colored address bar and an unbroken lock icon in the bottom-right corner, the page is not completely encrypted and you may still be vulnerable to various forms of eavesdropping or hacking (in many cases, HTTPS Everywhere can't prevent this because sites incorporate insecure third-party content).

UPDATED: EFF's Peter Eckersley elaborates on HTTPS Everywhere extension:

Our original design objective was to offer an easy way to encrypt all Google searches; once we'd done that we realised we could support a lot of other useful sites too. We had to implement several things that NoScript STS lacked, including:

- Rewriting rules, so that a search at google.ch (for example) gets rewritten to https://www.google.com/search?hl=<lang>, because there is no https support at google.ch.  URL reconstruction was also necessary for Wikipedia. - Detect loops when some page on an https:// site redirects back to http:// (parts of Facebook's privacy settings do that, for example!).  Currently we just render the http:// page when that happens, though we're planning to offer a setting that turns those into error conditions. - Support exclusions if *.domain.com supports https with one or two subdomains as weird exceptions.

We think that the result is something that's useful on its own, as a simple way to move a lot of traffic to https, but also something that offers useful new functionality even if you already use NoScript. We also hope that some of these improvements can be patched back into NoScript; but for the time being we'll keep offering a tool that offers them and is also useful to people who don't yet have the sophistication to manage all of NoScript's features.

What's worth pointing out is that, forced SSL connections (STS support in both, NoScript and HTTPS Everywhere), as well as the additional security added by Secure Cookie Management, has been an integral part of the NoScript Firefox extension.

In a way, EFF's "HTTPS Everywhere" is a user-friendly version of NoScript's forced SSL feature, which is a step in the right direction, given the number of people that will definitely start taking advantage of it.

Personally, I'm sticking with NoScript's forced SSL, and Secure Cookies Management for now. And you?

Talkback.

Topics: Security, Networking

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • All depends on who's listening ...

    Almost all of the "privacy enhancements" are useless in the face of systematic monitoring. If you expect them to work against government snooping, monitoring by your ISP or network provider, or even against data aggregators such as Google, then you are deluded.

    At best, they offer a little protection against in-network hacking (such as in university or semi-public networks) but if the listener is truly in control of the network path you are using, you have few defenses.

    I remember John Gilmore's comment about "censorship as damage", which also had some applicability to privacy. But the internet at that time was much more of a decentralized mesh than what we have today. For most people and companies, the internet is in fact a centralized service controlled by at most one or two providers. All of the protections and defenses envisioned in the decentralized mesh are now stripped away. SSL, TOR, and other point-based mechanisms can't overcome that basic issue.
    terry flores
    • RE: The EFF releases new HTTPS Everywhere Firefox extension

      @terry flores Oh my gosh, a comment by a tech geek with wisdom! I'm impressed, Terry.
      kenosha77a
      • RE: The EFF releases new HTTPS Everywhere Firefox extension

        @kenosha7777 Thanks for sharing. i really appreciate it that you shared with us such a informative post..
        <a href="http://www.universaldegrees.com/universaldegrees/programs/undergraduate-diploma-program.asp">online undergraduate diploma</a> <a href="http://www.universaldegrees.com/universaldegrees/programs/graduate-certificate-program.asp">online graduate certificate</a> <a href="http://www.universaldegrees.com/universaldegrees/doctoral-degree.asp">life experience doctorate degree</a> <a href="http://www.universaldegrees.com/universaldegrees/high-school-diploma.asp">online high school diploma</a>
        disturbforce
    • @terry flores

      [i]"...Almost all of the "privacy enhancements" are useless in the face of systematic monitoring. If you expect them to work against government snooping, monitoring by your ISP or network provider, or even against data aggregators such as Google, then you are deluded.[/i]

      Who says he's "expecting" anything?? It's clear he's simply offering 'options' for those using FF on how to [i]mitigate[/i] potential security issues that go hand-in-hand with web browsing. It's obvious you're just out to be bloody-minded. Add to that, that there is *nothing* in the article to suggest that EFF or (for that matter) the creator of NoScript (and similar extension developers) are offering complete and absolute security from online attack vectors: in your over zealous riposte, you're somehow implying the author(s) of the article are.

      [i]"...All of the protections and defenses envisioned in the decentralized mesh are now stripped away. SSL, TOR, and other point-based mechanisms can't overcome that basic issue. "[/i]

      So besides stating the obvious, do you have any better mitigation strategies to suggest or are you here just to pontificate? No .. I withdraw that comment because you obviously are pontificating. I mean, what would you suggest end-users do? Not use SSL or TOR? AND wiseguy what are your industry standard, viable, ground breaking alternatives? More specifically, to mitigate XSS and JAR based attack vectors, have you a better, working solution (sanitizer) for FF users than NoScript??

      Listen, unless you can add to the discussion by offering something of substance - something better and of direct, practical assistance to those who use FF - or indeed *any* web browser - then you're really just part of the problem.

      @kenosha7777 .. you give him / her way too much credit. Heads-up: [i]Wisdom[/i] from an I.S/I.T pro would involve offering objective and sound solutions to real, operational problems and issues - when given an opportunity to do so. [i]Moronic[/i] involves offering up platitudes laced with self-satisfied twaddle and half-truths.

      .. so yeah, Terry's comments fit the latter. With all due respect kenosha7777, learn to discern between the two .. they've major differences.

      Sinceremente
      thx-1138_
      • RE: The EFF releases new HTTPS Everywhere Firefox extension

        @thx-1138_@... More specifically,<a href="http://www.reviewonlineuniversity.com/degree-subject/beware.asp">almeda university</a> to mitigate XSS and JAR based attack vectors,<a href="http://www.theashwooduniversity.net/">ashwood university</a> have you a better, working solution (sanitizer) for FF users than NoScript??
        nestdrive
      • RE: The EFF releases new HTTPS Everywhere Firefox extension

        @thx-1138_@... I withdraw <a href="http://www.lifexperiencedegrees.com/?p=101">life experience degrees</a> that comment because you obviously are pontificating.<a href="http://www.rochvilleuniversityscam.com/">rochville university</a>
        nestdrive
      • RE: The EFF releases new HTTPS Everywhere Firefox extension

        @thx-1138_@... if the listener is truly in control of the network path you are using, you have few defenses.<a href="http://www.reviewonlineuniversity.com/universities/woodfield-university.asp">Woodfield University</a>
        nestdrive
      • RE: The EFF releases new HTTPS Everywhere Firefox extension

        @thx-1138_@... when given an opportunity to do so. Moronic involves offering up platitudes laced with self-satisfied twaddle and half-truths.<a href="http://www.online-high-school-diploma.com/">High School Diploma</a>
        disturbforce
    • RE: The EFF releases new HTTPS Everywhere Firefox extension

      great blog i love it ! <a href="http://www.tophotelaltoadige.it">hotel alto adige</a>
      hotelsudtirol
      • RE: The EFF releases new HTTPS Everywhere Firefox extension

        @hotelsudtirol Yes counldnt agree more this blog is the best. Firefox extensions have been a revelation, the best browser out there stil IMO <a href="http://www.h2ofiresprinklers.co.uk/">residential sprinkler systems</a>
        Dave Burness
    • RE: The EFF releases new HTTPS Everywhere Firefox extension

      using android woth firefox app that will make privacy problems for me ? <a href="http://www.top10google.it">Posizionamento siti web</a>
      hotelsudtirol
  • In a word..

    Yes.<br><br>That is yes, i've been using NoScript for the last 2-3 years and some of the best feature sets of later versions of the plugin are:<br><br>* ABE - completely customizable by the user<br>* XSS (and JAR) protection & sanitation (automatic)<br><br>and last (but by no means least) a fully customizable forced HTTPS section for those users that want to help mitigate potential domain spoofing / hijacking and XSS vulnerabilities that standard, HTTP addressing is notorious for.<br><br>Thank you guys for the great article: you've highlighted some critical points about general browsing security and domain-based, SSL browsing that cannot be emphasized enough in regards to safe, web browsing habits.<br><br>Keep up the great work! <img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy">
    thx-1138_
  • RE: The EFF releases new HTTPS Everywhere Firefox extension

    @kenosha7777 Thanks for sharing.

    <a href="http://www.nikefree2running.com/nike-free-run-plus">Nike Free Plus</a>|<a href="http://www.nikefree2running.com/black-nike-free-run-shoes">Nike Free Run Black</a>|<a href="http://www.nikefree2running.com/grey-nike-free-run-shoes">Nike Free Run Grey</a>
    zdne110
  • RE: The EFF releases new HTTPS Everywhere Firefox extension

    It???s hard to find knowledgeable people on this topic, but you sound like you know what you???re talking about!
    <a href="http://www.essayinn.co.uk/write-my-essay/">Write My Essay For Me</a>
    <a href="http://www.essayinn.co.uk">Essay Writing UK</a>
    <a href="http://www.essayinn.co.uk/university-essay/">University Essays</a>
    <a href="http://www.essayinn.co.uk/uk-essay-writing/">UK Essay Writing</a>
    <a href="http://www.essayinn.co.uk/buy-an-essay/">Need To Buy Essay</a>
    astonatkin
  • RE: The EFF releases new HTTPS Everywhere Firefox extension

    Nice to be visiting your blog again, Well this article that i'<a href="http://www.essayinn.co.uk/uk-essay-writing/">UK Essay Writing</a>
    <a href="http://www.essayinn.co.uk/buy-an-essay/">Need To Buy Essay</a>
    been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share.
    astonatkin
  • Custom Essay Writing Service

    the information that can be discerned about me by tracking my searches and other online behavior.


    http://www.essayglory.com
    http://www.essayglory.com/aboutus.aspx
    http://www.essayglory.com/customEssayWriting.aspx
    http://www.essayglory.com/Order.aspx
    http://www.essayglory.com/contact.aspx
    angle07