I just came across a new extension for Firefox that helps improve security and privacy while surfing the web. HTTPS Everywhere is a Firefox extension that is a collaboration between The Tor Project and the Electronic Frontier Foundation (EFF). It encrypts your communications with a number of major websites by invoking HTTPS whenever it’s available. With all the web surfing we do from insecure places, like coffee shops and airports, having more secure communication is a great idea. That last thing I want is my login and password going in clear text from a Starbucks.
Some sites, like GMail, let you configure them so whenever you access it through any browser, it defaults to using HTTPS. That’s a great idea, unfortunately most sites don’t let you do this.
The HTTPS Everywhere extension is currently in beta, but so far it works well for me. I’ve installed it on both Windows and Mac and the experience is the same. I don’t notice any slow down when using it, which is a common complaint when using HTTPS versus HTTP. I try to use HTTPS when available on a website, but I don’t always remember to type it. The beauty of this is that it automatically invokes HTTPS without me having to think about it. Computers that actually do the thinking for me. What a concept.
Currently the extension supports the following websites:
- Google Search
- most of Amazon
- WordPress.com blogs
- The New York Times
- The Washington Post
HTTPS Everywhere uses small XML ruleset files to define which domains are redirected to https, and how. You can also write your own rulesets that extend the capabilities to other sites. Check out the FAQ for more information. You can install the extension from the HTTPS Everywhere page.
I hope that Microsoft, Apple and Google take a hint from this and write similar features into their browsers. According to the FAQ, the Chrome, IE and Safari APIs do not support request rewriting. That means that there is currently no way to write a secure version of HTTPS Everywhere without modifying their source code. The EFF does state that if anyone knows a way to perform secure request rewriting in these browsers, feel free to let them know at EFF.org.