Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Extension HTTPS Everywhere Does What It Sounds Like

Posted by timothy on from the effin'-sweet dept.

climenole writes "HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS."

14 of 272 comments (clear)

  1. noscript? by Cmdr-Absurd · · Score: 3, Informative

    noscript has a means of doing this on a per-site basis. Wildcards are accepted.

  2. NoScript has done this for years by Coopjust · · Score: 5, Informative
    http://noscript.net/features#options

    Preferences for enhancing HTTPS behavior and cookies:
    Force the following sites to use secure (HTTPS) connections - a space-separated list of site patterns

    Then again, if you don't trust the NoSript author after the controversy, this might be a good alternative. I figure NoScript is under more scrutiny than any other extension and the author learned his lesson.

  3. Much needed extension by Jojoba86 · · Score: 5, Informative

    Oh wow, this is awesome. I've used greasemonkey scripts with facebook but it's pretty ugly, seems to load the http page before the https page. This sounds perfect. Here's the link https://www.eff.org/files/https-everywhere-latest.xpi which is missing from TFS.

  4. Re:Link? by Anonymous Coward · · Score: 5, Informative

    Shouldn't that be https://www.eff.org/https-everywhere ?

  5. Does What It Sounds Like? by Culture20 · · Score: 4, Informative

    It can't work unless these sites already have an https version. If they redirect all 443 traffic to 80 like /., then it does nothing. It might work for facebook since it has a couple pages that allow https, but I'm sure things like their photo servers are probably http only.

  6. Link by muffen · · Score: 5, Informative

    Maybe a link to the addon would be useful in the story?

  7. forcing views of the hompage by SuperBanana · · Score: 5, Informative

    I don't care about ads on his site.

    I care about being forced to update NoScript every few days, each time being forced to load his site. I've got another extension, a Flash downloader that does the same thing. They're both either the world's worst programmers, or they're intentionally releasing updates just to drive traffic to their homepages.

    It's also incredibly irritating to get interrupted almost every time I go to restart Firefox!

    --
    Please help metamoderate.
    1. Re:forcing views of the hompage by Anonymous Coward · · Score: 5, Informative

      From the FAQ [http://noscript.net/faq]:

      2.5
      Q: I don't like NoScript redirecting the browser on its release notes page every time I upgrade it. Is there any way to prevent this?
      A: First time you install NoScript and every time you upgrade it to a newer major version, Firefox opens an additional tab containing the NoScript welcome page, where you can read the release notes, the latest announcements and an introduction to the most important NoScript features (plus a link to this very FAQ...)
      If you feel you don't need such heads up, you can disable this feature by clicking the NoScript icon, selecting Options and unchecking "Display the release notes on update" in the "Notifications" tab.
      Notice that if the above "fix" doesn't work or, worse, you keep being redirected on the welcome page every time you restart Firefox, chances are there's something (like a buggy extension) preventing your preferences from being saved: you may need to follow this advice, then.

    2. Re:forcing views of the hompage by Coopjust · · Score: 3, Informative
      http://noscript.net/faq#qa2_5

      Q: I don't like NoScript redirecting the browser on its release notes page every time I upgrade it. Is there any way to prevent this?
      If you feel you don't need such heads up, you can disable this feature by clicking the NoScript icon, selecting Options and unchecking "Display the release notes on update" in the "Notifications" tab.

      He's intentionally driving traffic to his page, but you can disable it easily (it used to require about:config, but it was a boolean that was fairly easy to find).

    3. Re:forcing views of the hompage by j.sanchez1 · · Score: 4, Informative

      about:config
      set noscript.firstRunRedirection to false

      --
      Speedy thing goes in; speedy thing comes out.
  8. It is based on NoScript, in fact by Anonymous Coward · · Score: 5, Informative
    From TF (and missing) A:

    Our code is partially based on the STS implementation from the groundbreaking NoScript project.

  9. Re:Does NOT work for Slashdot.org by Lingerance · · Score: 4, Informative

    That's a subscriber feature.

  10. I see two things wrong w/ this... by HTMLSpinnr · · Score: 3, Informative

    1. For classic shared hosting solutions using name based hosting, I can almost guarantee if you hit https:///, you're going to hit someone else's virtual host. Many cheap hosting providers w/ limited public IPs will load up domain names on a single IP/Port, but still provide secure hosting to one domain name (on the same port) for shopping cart checkout under a different domain name. Using such a plugin in this use case would not work so well. Then again, would most "smaller sites" really be worthy of encryption in the first place?

    2. Not every site is designed w/ the same content root in http vs https. Switching from http to https may completely break if the file structures under the two virtual hosts (potentially entirely separate in Apache) aren't identical (i.e. pointing to the same directory). I'm not touting that this is a best practice, but would be completely feasable if you wanted to keep specific content from being accessed via http and didn't want to bother with mod_rewrite or equivalent.

    To the poster above who says there's little CPU penalty for SSL, SSL may not be taxing on the client, but hundreds or thousands of sessions on a server (especially one hosting an app, DB, and Apache) may be another story. Why is someone's assumed paranoid that someone will see that they're reading about cars or home theater equipment on a forum worth requiring a service owner to scale his hardware to the next level to maintain acceptable performance (assuming this phenomenon is multiplied hundred-fold)?

    --
    $ man woman *
    -bash: /usr/bin/man: Argument list too long
  11. Re:Does NOT work for Slashdot.org by FriendlyLurker · · Score: 3, Informative

    It's one thing to suggest /. _should_ do this (and I think they should, all things being equal), but it's another to say (or imply) it is wrong for them not to.

    You might be right. However we do not have to look far (e.g "Thailand Shuts Down 43,000 More Websites", or "FBIs Facebook Monitoring Leads To Arrest In England" both a few stories back) - to see that social network sites like /. are being sniffed, scanned, intercepted and profiles built up for normal citizens all around the world. 43,000 Websites have been shutdown or blocked in Thailand, and it would be naive to think they wouldn' also t sniff plain-text posted on those websites from Thai based IP's to identify problematic Thai citizens, who now may be on government watch list's - just waiting for a visit from local authorities, firing from Gov departments, or any other manner of persecution the regime see's fit to deal out.

    It might not be Slashdot's job or responsibility to offer even the most minimum technological security https offers to users - but it may reflect pretty poorly on Slashdot as a technology orientated social networking site - if they do not set a good example in the proper use of technology, who will?