Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Extension HTTPS Everywhere Does What It Sounds Like

Posted by timothy on from the effin'-sweet dept.

climenole writes "HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS."

14 of 272 comments (clear)

  1. NoScript has done this for years by Coopjust · · Score: 5, Informative
    http://noscript.net/features#options

    Preferences for enhancing HTTPS behavior and cookies:
    Force the following sites to use secure (HTTPS) connections - a space-separated list of site patterns

    Then again, if you don't trust the NoSript author after the controversy, this might be a good alternative. I figure NoScript is under more scrutiny than any other extension and the author learned his lesson.

  2. Default to HTTP? by SpazmodeusG · · Score: 5, Insightful

    Geez. What kind of poorly written site would do something like quietly defaulting to unencrypted HTTP on a HTTPS request.

    https://www.slashdot.org/

  3. Much needed extension by Jojoba86 · · Score: 5, Informative

    Oh wow, this is awesome. I've used greasemonkey scripts with facebook but it's pretty ugly, seems to load the http page before the https page. This sounds perfect. Here's the link https://www.eff.org/files/https-everywhere-latest.xpi which is missing from TFS.

    1. Re:Much needed extension by Fnkmaster · · Score: 5, Funny

      Hmm... if you are trying to encrypt your communications with *Facebook* something tells me you are worrying about the wrong people getting their hands on your personal data.

  4. Does what it sounds like... by Nick+Fel · · Score: 5, Insightful

    ...except not "everywhere", just major sites.

  5. Re:Link? by Anonymous Coward · · Score: 5, Informative

    Shouldn't that be https://www.eff.org/https-everywhere ?

  6. Link by muffen · · Score: 5, Informative

    Maybe a link to the addon would be useful in the story?

  7. firefox doesn't really make it easy for the users by roman_mir · · Score: 5, Interesting

    Firefox itself does not really make it easy for the users or for admins to use https everywhere.

    I just made a small site, it's for a business, that runs everything through https, I redirect http to https completely. Firefox 3.6.3 on Windows had no problem running the site. IE on windows couldn't open the encrypted pages, Firefox 3.5 on any GNU/Linux distro couldn't open them either, to fix this, I had to add this to /etc/conf.d/ssl.conf : SSLInsecureRenegotiation on

    That fixed the IE and FF3.5 on Linux problem.

    Here is the description of this flag from apache mod_ssl directive description page:

    SSLInsecureRenegotiation Directive
    Description: Option to enable support for insecure renegotiation
    Syntax: SSLInsecureRenegotiation flag
    Default: SSLInsecureRenegotiation off
    Context: server config, virtual host
    Status: Extension
    Module: mod_ssl
    Compatibility: Available in httpd 2.2.15 and later, if using OpenSSL 0.9.8m or later

    As originally specified, all versions of the SSL and TLS protocols (up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle attack (CVE-2009-3555) during a renegotiation. This vulnerability allowed an attacker to "prefix" a chosen plaintext to the HTTP request as seen by the web server. A protocol extension was developed which fixed this vulnerability if supported by both client and server.

    If mod_ssl is linked against OpenSSL version 0.9.8m or later, by default renegotiation is only supported with clients supporting the new protocol extension. If this directive is enabled, renegotiation will be allowed with old (unpatched) clients, albeit insecurely.
    Security warning

    If this directive is enabled, SSL connections will be vulnerable to the Man-in-the-Middle prefix attack as described in CVE-2009-3555.
    Example

    SSLInsecureRenegotiation on

    The SSL_SECURE_RENEG environment variable can be used from an SSI or CGI script to determine whether secure renegotiation is supported for a given SSL connection.

    I wonder if there are other ways of making this work with my other directives:

    SSLEngine on
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5

    SSLVerifyClient none - I am thinking about switching it to 'require' right now, but will have to test all browsers with it again, but have to do it I think.

    Oh, and getting it all to run together with apache httpd with mod_ssl + mod_jk + apache tomcat is quite a hassle.

    But most unfortunate thing about FF is how it treats the self-signed certificates. It shows it as an SSL ERROR, to which exceptions must be made for the user to be able to enter the site. Can FF developers think about this fact for like longer than a second? It is not an error to run a site with a self-signed certificate, it is a configuration choice and it provides an important role to the site: encrypted traffic for login and for the data transferred to and from the client.

    Why is FF showing this to the users as an error? This is not an error, this is by design and it is a special case of usage. Who is not frustrated by the browser treating self signed certificates as if they are some sort of a disease? They provide an important role - a way to secure communications between the server and the browser.

    Can this be looked at, because I am SURE this prevents various sites from using encrypted traffic in the first place and it is a BAD thing, not a good one. All traffic needs to be encrypted, but especially user name/password traffic shouldn't be sent around in plain text.

    Name it what it is: an exceptional case of using security to encrypt traffic, a case where the site may not necessarily be what it wants to be seen as, but at least the traffic is actually encrypted. It's terrible if someone comes to your site just to see: SSL ERROR on it, OF-COURSE admins don't want THAT message to be shown on their sites, why do you think so few sites do security properly?

    --
    You can't handle the truth.
  8. forcing views of the hompage by SuperBanana · · Score: 5, Informative

    I don't care about ads on his site.

    I care about being forced to update NoScript every few days, each time being forced to load his site. I've got another extension, a Flash downloader that does the same thing. They're both either the world's worst programmers, or they're intentionally releasing updates just to drive traffic to their homepages.

    It's also incredibly irritating to get interrupted almost every time I go to restart Firefox!

    --
    Please help metamoderate.
    1. Re:forcing views of the hompage by Anonymous Coward · · Score: 5, Informative

      From the FAQ [http://noscript.net/faq]:

      2.5
      Q: I don't like NoScript redirecting the browser on its release notes page every time I upgrade it. Is there any way to prevent this?
      A: First time you install NoScript and every time you upgrade it to a newer major version, Firefox opens an additional tab containing the NoScript welcome page, where you can read the release notes, the latest announcements and an introduction to the most important NoScript features (plus a link to this very FAQ...)
      If you feel you don't need such heads up, you can disable this feature by clicking the NoScript icon, selecting Options and unchecking "Display the release notes on update" in the "Notifications" tab.
      Notice that if the above "fix" doesn't work or, worse, you keep being redirected on the welcome page every time you restart Firefox, chances are there's something (like a buggy extension) preventing your preferences from being saved: you may need to follow this advice, then.

  9. Does NOT work for Slashdot.org by Anonymous Coward · · Score: 5, Interesting

    Unfortunately. No https for slashdot.org - why not Slashdot? Comments on politically orientated stories from "sensitive" countries does not deserve to be encrypted? You should know better Slashdot

    1. Re:Does NOT work for Slashdot.org by FriendlyLurker · · Score: 5, Insightful

      That's a subscriber feature.

      So to narrow down people posting politically sensitive stories (say, whistle-blower type stories) from a country, it is merely necessary to cross check banking records against payments to Slashdot. Slashdot should know better.

  10. Self-signed certs are vulnerable to MITM by tepples · · Score: 5, Interesting

    It is not an error to run a site with a self-signed certificate

    A man in the middle could insert his own self-signed certificate, decrypting the traffic from your site and reencrypting it with his own key pair, and users would be none the wiser. One workaround is to start your own CA, sign its root certificate with PGP, and distribute that cert to your users to install. But then that starts to depend on the PGP web of trust, which in turn depends on air travel to get keys signed.

  11. It is based on NoScript, in fact by Anonymous Coward · · Score: 5, Informative
    From TF (and missing) A:

    Our code is partially based on the STS implementation from the groundbreaking NoScript project.