The EFF releases new HTTPS Everywhere Firefox extension
The extension helps users encrypt their traffic to a small, but growing number of high profile sites, by forcing full-session HTTPS connections.
According to the EFF's announcement, the extension currently works on the following sites:
- Google Search, Wikipedia, Twitter, Facebook, The New York Times, The Washington Post, Paypal, EFF, Tor, Ixquick
Does "HTTPS Everywhere" really mean "Privacy Everywhere"? Not necessarily, and here's why it may leave a lot of users with a false feeling of privacy:
- Full-session HTTPS may prevent interception of some of your activities -- unless of course there's a weak link somewhere -- however, it doesn't hide your IP, doesn't use any sort of mixing tactics, potentially allowing the leak of personally identifiable information to Google, and doesn't prevent alternative tracking activities from taking place
- Broken SSL sessions displaying unencrypted third party content, allow active tracking and monitoring to take place as well
- Forcing a full-session on a popular social networking service such as Facebook for instance, without taking into consideration the fact that SSL would not magically make all the personally identifiable information, including your IP, disappear, is wrong. Full-session SSL, in combination with tools such as Vanish (see a related video), next to Tor-like/VPN based anonymity network, are great for a fresh start
It's great to see that the EFF is also emphasizing on the insecure third-party content issue:
As always, even if you're at an HTTPS page, remember that unless Firefox displays a colored address bar and an unbroken lock icon in the bottom-right corner, the page is not completely encrypted and you may still be vulnerable to various forms of eavesdropping or hacking (in many cases, HTTPS Everywhere can't prevent this because sites incorporate insecure third-party content).
UPDATED: EFF's Peter Eckersley elaborates on HTTPS Everywhere extension:
Our original design objective was to offer an easy way to encrypt all Google searches; once we'd done that we realised we could support a lot of other useful sites too. We had to implement several things that NoScript STS lacked, including:
- Rewriting rules, so that a search at google.ch (for example) gets rewritten to https://www.google.com/search?hl=<lang>, because there is no https support at google.ch. URL reconstruction was also necessary for Wikipedia. - Detect loops when some page on an https:// site redirects back to http:// (parts of Facebook's privacy settings do that, for example!). Currently we just render the http:// page when that happens, though we're planning to offer a setting that turns those into error conditions. - Support exclusions if *.domain.com supports https with one or two subdomains as weird exceptions.
We think that the result is something that's useful on its own, as a simple way to move a lot of traffic to https, but also something that offers useful new functionality even if you already use NoScript. We also hope that some of these improvements can be patched back into NoScript; but for the time being we'll keep offering a tool that offers them and is also useful to people who don't yet have the sophistication to manage all of NoScript's features.
What's worth pointing out is that, forced SSL connections (STS support in both, NoScript and HTTPS Everywhere), as well as the additional security added by Secure Cookie Management, has been an integral part of the NoScript Firefox extension.
In a way, EFF's "HTTPS Everywhere" is a user-friendly version of NoScript's forced SSL feature, which is a step in the right direction, given the number of people that will definitely start taking advantage of it.
Personally, I'm sticking with NoScript's forced SSL, and Secure Cookies Management for now. And you?
Talkback.