HTTPS Everywhere is a free and open-source browser extension for Google Chrome, Mozilla Firefox, Opera, and Firefox for Android, which is developed collaboratively by The Tor Project and the Electronic Frontier Foundation (EFF). It automatically makes websites use a more secure HTTPS connection instead of HTTP, if they support it. The option "Block all HTTP requests" makes it possible to block and unblock all non-https browser-connections with one click.
|Developer(s)||Electronic Frontier Foundation and The Tor Project|
Firefox for Android|
|License||GNU GPL v3+ (most code is v2 compatible)|
|As of||April 2014|
HTTPS Everywhere was inspired by Google's increased use of HTTPS, and is designed to force the usage of HTTPS automatically whenever possible. The code, in part, is based on NoScript's HTTP Strict Transport Security implementation, but HTTPS Everywhere is intended to be simpler to use than NoScript's force HTTPS functionality which requires the user to manually add websites to a list. The EFF provides information for users on how to add HTTPS rulesets to HTTPS Everywhere, and information on which websites support HTTPS.
A public beta of HTTPS Everywhere for Firefox was released in 2010, and version 1.0 was released in 2011. A beta for Google Chrome was released in February 2012. In 2014, a version was released for Android phones.
The SSL Observatory is a feature in HTTPS Everywhere introduced in version 2.0.1 which analyzes public key certificates to determine if certificate authorities have been compromised, and if the user is vulnerable to man-in-the-middle attacks. In 2013, the ICANN Security and Stability Advisory Committee (SSAC) noted that the data set used by the SSL Observatory often treated intermediate authorities as different entities, thus inflating the number of certificate authorities. The SSAC criticized SSL Observatory for potentially significantly undercounting internal name certificates, and noted that it used a data set from 2010.
Continual Ruleset UpdatesEdit
The update to Version 2018.4.3, shipped 3th April 2018, introduces the „Continual Ruleset Updates“ Function. To apply up-to-date https-rules, this update function executes one rule-matching within 24 hours. A website called https://www.https-rulesets.org/ was build by the EFF for this purpose. This automated update-function can be disabled in the Add-on- settings. Prior the update- mechanism there have been ruleset-updates only through app-updates. Even after inventing this feature there are still bundled rulesets shipped within app-updates.
Two studies have recommended building in HTTPS Everywhere functionality into Android browsers. In 2012, Eric Phetteplace described it as "perhaps the best response to Firesheep-style attacks available for any platform". In 2011, Vincent Toubiana and Vincent Verdot pointed out some drawbacks of the HTTPS Everywhere add-on, including that the list of services which support HTTPS needs maintaining, and that some services are redirected to HTTPS even though they are not yet available in HTTPS, not allowing the user of the extension to get to the service.
- Transport Layer Security (TLS) – Cryptographic protocols that provide communications security over a computer network.
- Privacy Badger – A free browser extension created by the EFF that blocks advertisements and tracking cookies.
- Switzerland (software) – An open-source network monitoring utility developed by the EFF to monitor network traffic.
- Let's Encrypt – A free automated X.509 certificate authority designed to simplify the setup and maintenance of TLS encrypted secure websites.
- HTTP Strict Transport Security - A web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.
- "Changelog.txt". Electronic Frontier Foundation. Retrieved 16 April 2018.
- "Releases · EFForg/https-everywhere". GitHub. Retrieved 16 April 2018.
- HTTPS Everywhere Development Electronic Frontier Foundation
- "HTTPS Everywhere | Electronic Frontier Foundation". Eff.org. Retrieved 2014-04-14.
- "HTTPS Everywhere reaches 2.0, comes to Chrome as beta - The H Open: News and Features". H-online.com. 2012-02-29. Retrieved 2014-04-14.
- HTTPS Everywhere Changelog (englisch)
- "Automatic web encryption (almost) everywhere - The H Open Source: News and Features". H-online.com. 2010-06-18. Archived from the original on 2010-06-23. Retrieved 2014-04-15.
- Kate Murphy: New hacking tools pose bigger threats to Wi-Fi users. The New York Times, February 17, 2011.
- "HTTPS Everywhere | Electronic Frontier Foundation". Eff.org. Retrieved 2014-06-04.
- "HTTPS Everywhere Rulesets | Electronic Frontier Foundation". Eff.org. 2014-01-24. Retrieved 2014-05-19.
- "HTTPS Everywhere Atlas". eff.org. Retrieved 2014-05-24..
- Mills, Elinor (2010-06-18). "Firefox add-on encrypts sessions with Facebook, Twitter". CNET. Retrieved 2014-04-14.
- Scott Gilbertson (2011-08-05). "Firefox Security Tool HTTPS Everywhere Hits 1.0 | Webmonkey". WIRED. Retrieved 2014-04-14.
- "HTTPS Everywhere & the Decentralized SSL Observatory | Electronic Frontier Foundation". Eff.org. 2012-02-29. Retrieved 2014-06-04.
- Brian, Matt (2014-01-27). "Browsing on your Android phone just got safer, thanks to the EFF". Engadget.com. Retrieved 2014-04-14.
- Lemos, Robert (2011-09-21). "EFF builds system to warn of certificate breaches | Encryption". InfoWorld. Retrieved 2014-04-14.
- Vaughan, Steven J. (2012-02-28). "New 'HTTPS Everywhere' Web browser extension released". ZDNet. Retrieved 2014-04-14.
- "1 SSAC Advisory on Internal Name Certificates" (PDF). ICANN Security and Stability Advisory Committee (SSAC). 15 March 2013.
- "https-everywhere now delivers new rulesets without upgrading extension". bleepingcomputer.com. 5 April 2018.
- Fahl, Sascha; et al. "Why Eve and Mallory love Android: An analysis of Android SSL (in)security" (PDF). Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012. Archived from the original (PDF) on 2013-01-08.
- Davis, B.; Chen, H. (2013). "Retro Skeleton". Proceedings of the 11th annual international conference on Mobile systems, applications, and services - Mobi Sys '13. p. 181. doi:10.1145/2462456.2464462. ISBN 9781450316729.
- Kern, M. Kathleen, and Eric Phetteplace. "Hardening the browser." Reference & User Services Quarterly 51.3 (2012): 210-214. http://eprints.rclis.org/16837/
- Toubiana, Vincent; Verdot, Vincent (2011). "Show Me Your Cookie And I Will Tell You Who You Are". arXiv: [cs.CR].