Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Extension HTTPS Everywhere Does What It Sounds Like

Posted by timothy on from the effin'-sweet dept.

climenole writes "HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS."

23 of 272 comments (clear)

  1. Default to HTTP? by SpazmodeusG · · Score: 5, Insightful

    Geez. What kind of poorly written site would do something like quietly defaulting to unencrypted HTTP on a HTTPS request.

    https://www.slashdot.org/

    1. Re:Default to HTTP? by Anonymous Coward · · Score: 2, Insightful

      So I guess you'd be ok with just telling me your login and password, rather than making me go through the effort to sniff them, right?

      I eagerly await your response.

    2. Re:Default to HTTP? by Burz · · Score: 4, Insightful

      O RLY?

      Try using Slashdot (or most other sites) all day in an airport or at a cafe with your laptop, then see how long it takes for someone to start F-ing around with the Javascript that your browser is receiving in the clear. And then there are those lovely residential ISPs that screw with your web pages for not very different reasons.

      The EFF wants to see the web prepared for an assault that looks likely to intensify.

      BTW, there is such a thing as being too cheap.

    3. Re:Default to HTTP? by profplump · · Score: 2, Insightful

      It's only the optimal solution for you. If the client choose HTTPS and you change back to HTTP then *you're* deciding that their content shouldn't be encrypted, even if they think it should be. You can choose not to offer HTTPS if you think the burden is too high on your end, but you're lying to yourself by calling it the "optimal" solution for both sides.

      You might not care that your web browsing is encrypted. But I might be on a monitored network and don't want my overlords to know that I downloaded a cheesecake recipe because it would ruin their surprise birthday party. That or any of 1,000 other scenarios might lead me to desire encrypted communications even for information that you don't consider worthy of encryption.

      Frankly I think *all* communications should be routinely encrypted just to discourage eavesdropping. Plus if encryption became the status quo your browser could offer sane warning messages about unencrypted transfers, rather than putting up no warning for unencrypted transfers and then freaking out when you have an encrypted but unauthenticated transfer.

    4. Re:Default to HTTP? by e2d2 · · Score: 3, Insightful

      You're shit out of luck because _we_ pay the bills here and _we_ build the websites so yes it's not being out of line to think that we should control how it's delivered. Take your entitlement to someplace that honors that currency. I'm a hacker too, but this whole "I want everything in the world my way" shit is getting old. Live with it, or don't. But it's not an "issue" in any way as far as I'm concerned. Don't like it? Go elsewhere.

  2. Does what it sounds like... by Nick+Fel · · Score: 5, Insightful

    ...except not "everywhere", just major sites.

    1. Re:Does what it sounds like... by Tim+C · · Score: 3, Insightful

      It can't be *everywhere* as not every site provides HTTPS access. You could go through a proxy, but that would only encrypt traffic between you and the proxy (and would of course introduce a potential bottleneck if it was a general-use proxy)

      --
      It's official. Most of you are morons.
  3. Cipher CPU use, caching, and Google Custom Search by tepples · · Score: 2, Insightful

    What kind of poorly written site would do something like quietly defaulting to unencrypted HTTP on a HTTPS request.

    Once the user has logged in, there are three reasons to switch back to HTTPS for any page that doesn't take credit cards or the like:

    • The ciphers in HTTPS take a not insignificant amount of CPU time. Not all web applications are database- or network-bound.
    • HTTPS isn't cacheable by intermediate transparent proxies, such as those used by dial-up or satellite Internet providers.
    • Google has not released a version of the Google Custom Search box that works on HTTPS sites. The last time I tried it, IE would show the mixed-content alert: "Do you want to display only the webpage content that was delivered securely?" I had to add a workaround to a shopping site that disables Google Custom Search when the user is browsing in HTTPS mode.
  4. Re:Link? by Meneth · · Score: 2, Insightful
    EFF says:

    In an ideal world, every web request could be defaulted to HTTPS

    I say:
    In an ideal world, you wouldn't NEED to use HTTPS.

  5. Re:forcing views of the hompage by rlk · · Score: 2, Insightful

    AdBlock Plus and NoScript are doing different things -- ABP is basically a filter engine, and the rules are the only thing that (normally) needs to be updated. NoScript is blocking things based on various algorithms, so it's procedural rather than data-driven. It's not surprising that NoScript's engine needs to be updated more often than ABP's.

  6. Re:Does NOT work for Slashdot.org by FriendlyLurker · · Score: 5, Insightful

    That's a subscriber feature.

    So to narrow down people posting politically sensitive stories (say, whistle-blower type stories) from a country, it is merely necessary to cross check banking records against payments to Slashdot. Slashdot should know better.

  7. Re:Self-signed certs are vulnerable to MITM by Anonymous Coward · · Score: 1, Insightful

    A man in the middle could insert his own self-signed certificate, decrypting the traffic from your site and reencrypting it with his own key pair, and users would be none the wiser.

    That can't possibly be the reason for Firefox's weird behavior, because if you use http instead of https, you don't get the error.

  8. Re:slashdot, HTTPS please! by phyrexianshaw.ca · · Score: 2, Insightful

    yeah, because we all need to hide things more and more instead of being responsible for our own actions.

    please. there's nothing that goes on on /. that requires encrypted communication.

  9. Re:firefox doesn't really make it easy for the use by Burz · · Score: 2, Insightful

    Why is FF showing this to the users as an error? This is not an error, this is by design and it is a special case of usage. Who is not frustrated by the browser treating self signed certificates as if they are some sort of a disease? They provide an important role - a way to secure communications between the server and the browser.

    It is an error in judgment on Mozilla's part. Their increasing institutional-mindedness is causing them to send users always into the arms of the CAs -- preferably with no exceptions. The mindset has blinded them to the fact that is it a relatively straightforward UI design issue. Speaking of which, if I were in charge at Mozilla the first thing I would change about the cert warning dialog would be to display the server's fingerprint so its immediately in the user's face. Imagine if websites could publicize their fingerprints (say, on their company letterhead, business cards, in a voicemail menu option, etc.) so anyone could verify your self-signed cert with a little effort. That and a more ssh-like cert recognition could enable a revolution in security.

  10. Re:NoScript over-engineered by djnforce9 · · Score: 2, Insightful

    I couldn't agree more with you. I used NoScript for a little while and it was a pain having to whitelist sites one by one as I visited them. For areas I don't trust, I simply can shut off the JavaScript and Flash engine altogether (ESPECIALLY flash which some sites abuse by hosting very loud ads playing horrible music out of nowhere). Also handy for web development when I need to see how a page I am working on responds when someone enters without JavaScript enabled.

  11. Re:slashdot, HTTPS please! by Peach+Rings · · Score: 2, Insightful

    How about sending your login credentials to the server? That's not encrypted.

  12. Re:Self-signed certs are vulnerable to MITM by swillden · · Score: 4, Insightful

    It is not an error to run a site with a self-signed certificate

    A man in the middle could insert his own self-signed certificate, decrypting the traffic from your site and reencrypting it with his own key pair, and users would be none the wiser.

    So that just means that the site isn't secure. Fine. FF shouldn't display the lock icon, or color the address bar. But that's no reason to treat the connection as an error. The appropriate thing to do is to present the site as insecure (which it is), but to go ahead and encrypt the link. Ideally, FF should go one step further and use SSH-style server key history. Silently (or with a small "new key, do you want to accept it?" dialog) accept and use the self-signed certificate, and then puke hard if the certificate ever changes without good reason (i.e. old cert expired or was replaced with a proper certificate).

    By making these small changes, browser makers could significantly increase the average security of the web, so that sites that will otherwise have to go with unencrypted HTTP can use HTTPS -- even if MITM attacks are still possible, and if security shouldn't be relied upon, this sort of "opportunistic" encryption can make casual snooping significantly harder. That's a good thing.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  13. Re:CPU overhead by Anonymous Coward · · Score: 1, Insightful

    SSL certs cost money? Seriously? That's supposed to be a legitimate excuse? It's not like you have to pay per-user to license an SSL certificate -- we're talking about tens-of-dollars per server-year here. They probably spend more money hosting the comments related to requests for SSL support than they would on SSL certificates.

    Cycles is somewhat more legitimate. In 1997 SSL was relatively expensive. It still adds CPU time now, but if you've got your web servers isolated from the app servers it should *not* be expensive to add the necessary power in 2010.

  14. Re:Does NOT work for Slashdot.org by ultranova · · Score: 4, Insightful

    /. is a business, not a charity, and not a public service (although it provides public service as part of its business model).

    Every time I hear "is is a business, therefore it doesn't have to care about anything besides profit" I turn a little more to the left. Seriously, did CEOs mistake Soviet propaganda as instruction manuals or something?

    It's one thing to suggest /. _should_ do this (and I think they should, all things being equal), but it's another to say (or imply) it is wrong for them not to.

    If it's not wrong for them to not do something, then why should they do it?

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  15. Re:Self-signed certs are vulnerable to MITM by Anonymous Coward · · Score: 1, Insightful

    How is this different from SSH? Store it on first connection, warn if it changes.
    Congratulations, you've just reduced the chance of a MITM getting the data to 1/(lifetime number of connections).
    Firefox treats this case as so much worse than cleartext that it needs a Big Scary Warning where it's complicated to do anything but abort, and that makes absolutely no sense.

  16. mod this guy up by Sloppy · · Score: 4, Insightful

    How ridiculous is it, that people get their bank's identity vouched for by a third party they have never met and don't know anything about, when the bank could just put up a fingerprint sign in their lobby and on their paper statements? And people say using a CA is more secure, and less vulnerable to MitM? Really?!?

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  17. Re:Link? by Sir_Lewk · · Score: 2, Insightful

    There are realistic ideal worlds, and there are unrealistic ideal worlds.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  18. You're not dealing with this right. by raehl · · Score: 2, Insightful

    It's silly NOT to expect a business to care about anything other than profit. Profit is pretty much the sole determination as to whether a business survives.

    And there's nothing wrong with that. Once you ACCEPT that a business should only care about maximizing profit, then you understand how to get a business to operate in an ethical manner: Make it profitable.

    You can do that with consumer pressure, laws, taxes, penalties, subsidies, handouts....

    So don't get upset that businesses are only interested in profits. Embrace it and make it work for you!

    --
    paintball