Feeds

Firefox add-on does 'HTTPS Everywhere'

Well, everywhere possible

Top three mobile application threats

The Electronic Frontier Foundation and The Tor Project have teamed up to offer a Firefox add-on that beefs up https on several major websites, including Google.com, Wikipedia, Twitter, Facebook, and PayPal.

Currently in beta, HTTPS Everywhere is designed to make encryption easier to use on sites offering at least partial SSL support. Google, for instance, still defaults to unencrypted search, but the EFF's add-on automatically takes you to the https incarnation.

"Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use," says the EFF. "For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS."

The code behind the add-on is based in part on the Strict Transport Security (STS) response header put together by the NoScript project. "HTTPS Everywhere aims to have a simpler user experience than NoScript, and to support complex rewriting rules that allow services like Google Search and Wikipedia to be redirected to HTTPS without breaking anything."

Google rolled out an https version of its search engine late last month, announcing the move in the same blog post in which it admitted that its Street View cars had been collecting payload data from unsecured Wi-Fi networks across the planet. Normally, to use SSL-ed Google Search, you must specifically visit https://www.google.com (note the "s").

After installing the HTTPS Everywhere add-on, if you visit http://www.google.com (no "s"), you will automatically be taken to the SSL version. The same is true for sites such as Wikipedia, Twitter, Facebook, The New York Times, The Washington Post, Paypal, the privacy-minded search engine Ixquick, and, well, EFF and Tor. And once you're onto secure versions of these sites, the plug-in attempts to keep your traffic within these sites encrypted as you move from page to page.

You can also modify the add-on's rule-set to include additional sites not covered at install. You can download the add-on here. ®

Seven Steps to Software Security

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.