Firefox Extension HTTPS Everywhere Does What It Sounds Like 272
climenole writes "HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS."
Default to HTTP? (Score:5, Insightful)
Geez. What kind of poorly written site would do something like quietly defaulting to unencrypted HTTP on a HTTPS request.
https://www.slashdot.org/ [slashdot.org]
Does what it sounds like... (Score:5, Insightful)
Re:Default to HTTP? (Score:2, Insightful)
So I guess you'd be ok with just telling me your login and password, rather than making me go through the effort to sniff them, right?
I eagerly await your response.
Cipher CPU use, caching, and Google Custom Search (Score:3, Insightful)
What kind of poorly written site would do something like quietly defaulting to unencrypted HTTP on a HTTPS request.
Once the user has logged in, there are three reasons to switch back to HTTPS for any page that doesn't take credit cards or the like:
Re:Link? (Score:3, Insightful)
In an ideal world, every web request could be defaulted to HTTPS
I say:
In an ideal world, you wouldn't NEED to use HTTPS.
Re:forcing views of the hompage (Score:3, Insightful)
AdBlock Plus and NoScript are doing different things -- ABP is basically a filter engine, and the rules are the only thing that (normally) needs to be updated. NoScript is blocking things based on various algorithms, so it's procedural rather than data-driven. It's not surprising that NoScript's engine needs to be updated more often than ABP's.
Re:Does NOT work for Slashdot.org (Score:5, Insightful)
That's a subscriber feature.
So to narrow down people posting politically sensitive stories (say, whistle-blower type stories) from a country, it is merely necessary to cross check banking records against payments to Slashdot. Slashdot should know better.
Re:Default to HTTP? (Score:5, Insightful)
O RLY?
Try using Slashdot (or most other sites) all day in an airport or at a cafe with your laptop, then see how long it takes for someone to start F-ing around with the Javascript that your browser is receiving in the clear. And then there are those lovely residential ISPs that screw with your web pages for not very different reasons.
The EFF wants to see the web prepared for an assault that looks likely to intensify.
BTW, there is such a thing as being too cheap.
Re:Self-signed certs are vulnerable to MITM (Score:1, Insightful)
That can't possibly be the reason for Firefox's weird behavior, because if you use http instead of https, you don't get the error.
Re:Does what it sounds like... (Score:4, Insightful)
It can't be *everywhere* as not every site provides HTTPS access. You could go through a proxy, but that would only encrypt traffic between you and the proxy (and would of course introduce a potential bottleneck if it was a general-use proxy)
Re:slashdot, HTTPS please! (Score:2, Insightful)
please. there's nothing that goes on on
Re:firefox doesn't really make it easy for the use (Score:3, Insightful)
Why is FF showing this to the users as an error? This is not an error, this is by design and it is a special case of usage. Who is not frustrated by the browser treating self signed certificates as if they are some sort of a disease? They provide an important role - a way to secure communications between the server and the browser.
It is an error in judgment on Mozilla's part. Their increasing institutional-mindedness is causing them to send users always into the arms of the CAs -- preferably with no exceptions. The mindset has blinded them to the fact that is it a relatively straightforward UI design issue. Speaking of which, if I were in charge at Mozilla the first thing I would change about the cert warning dialog would be to display the server's fingerprint so its immediately in the user's face. Imagine if websites could publicize their fingerprints (say, on their company letterhead, business cards, in a voicemail menu option, etc.) so anyone could verify your self-signed cert with a little effort. That and a more ssh-like cert recognition could enable a revolution in security.
Re:NoScript over-engineered (Score:2, Insightful)
I couldn't agree more with you. I used NoScript for a little while and it was a pain having to whitelist sites one by one as I visited them. For areas I don't trust, I simply can shut off the JavaScript and Flash engine altogether (ESPECIALLY flash which some sites abuse by hosting very loud ads playing horrible music out of nowhere). Also handy for web development when I need to see how a page I am working on responds when someone enters without JavaScript enabled.
Re:slashdot, HTTPS please! (Score:2, Insightful)
How about sending your login credentials to the server? That's not encrypted.
Re:Self-signed certs are vulnerable to MITM (Score:5, Insightful)
It is not an error to run a site with a self-signed certificate
A man in the middle could insert his own self-signed certificate, decrypting the traffic from your site and reencrypting it with his own key pair, and users would be none the wiser.
So that just means that the site isn't secure. Fine. FF shouldn't display the lock icon, or color the address bar. But that's no reason to treat the connection as an error. The appropriate thing to do is to present the site as insecure (which it is), but to go ahead and encrypt the link. Ideally, FF should go one step further and use SSH-style server key history. Silently (or with a small "new key, do you want to accept it?" dialog) accept and use the self-signed certificate, and then puke hard if the certificate ever changes without good reason (i.e. old cert expired or was replaced with a proper certificate).
By making these small changes, browser makers could significantly increase the average security of the web, so that sites that will otherwise have to go with unencrypted HTTP can use HTTPS -- even if MITM attacks are still possible, and if security shouldn't be relied upon, this sort of "opportunistic" encryption can make casual snooping significantly harder. That's a good thing.
Re:CPU overhead (Score:1, Insightful)
SSL certs cost money? Seriously? That's supposed to be a legitimate excuse? It's not like you have to pay per-user to license an SSL certificate -- we're talking about tens-of-dollars per server-year here. They probably spend more money hosting the comments related to requests for SSL support than they would on SSL certificates.
Cycles is somewhat more legitimate. In 1997 SSL was relatively expensive. It still adds CPU time now, but if you've got your web servers isolated from the app servers it should *not* be expensive to add the necessary power in 2010.
Re:Does NOT work for Slashdot.org (Score:5, Insightful)
Every time I hear "is is a business, therefore it doesn't have to care about anything besides profit" I turn a little more to the left. Seriously, did CEOs mistake Soviet propaganda as instruction manuals or something?
If it's not wrong for them to not do something, then why should they do it?
Re:Default to HTTP? (Score:3, Insightful)
It's only the optimal solution for you. If the client choose HTTPS and you change back to HTTP then *you're* deciding that their content shouldn't be encrypted, even if they think it should be. You can choose not to offer HTTPS if you think the burden is too high on your end, but you're lying to yourself by calling it the "optimal" solution for both sides.
You might not care that your web browsing is encrypted. But I might be on a monitored network and don't want my overlords to know that I downloaded a cheesecake recipe because it would ruin their surprise birthday party. That or any of 1,000 other scenarios might lead me to desire encrypted communications even for information that you don't consider worthy of encryption.
Frankly I think *all* communications should be routinely encrypted just to discourage eavesdropping. Plus if encryption became the status quo your browser could offer sane warning messages about unencrypted transfers, rather than putting up no warning for unencrypted transfers and then freaking out when you have an encrypted but unauthenticated transfer.
Re:Self-signed certs are vulnerable to MITM (Score:1, Insightful)
How is this different from SSH? Store it on first connection, warn if it changes.
Congratulations, you've just reduced the chance of a MITM getting the data to 1/(lifetime number of connections).
Firefox treats this case as so much worse than cleartext that it needs a Big Scary Warning where it's complicated to do anything but abort, and that makes absolutely no sense.
Re:Default to HTTP? (Score:4, Insightful)
You're shit out of luck because _we_ pay the bills here and _we_ build the websites so yes it's not being out of line to think that we should control how it's delivered. Take your entitlement to someplace that honors that currency. I'm a hacker too, but this whole "I want everything in the world my way" shit is getting old. Live with it, or don't. But it's not an "issue" in any way as far as I'm concerned. Don't like it? Go elsewhere.
mod this guy up (Score:5, Insightful)
How ridiculous is it, that people get their bank's identity vouched for by a third party they have never met and don't know anything about, when the bank could just put up a fingerprint sign in their lobby and on their paper statements? And people say using a CA is more secure, and less vulnerable to MitM? Really?!?
Re:Link? (Score:3, Insightful)
There are realistic ideal worlds, and there are unrealistic ideal worlds.
You're not dealing with this right. (Score:3, Insightful)
It's silly NOT to expect a business to care about anything other than profit. Profit is pretty much the sole determination as to whether a business survives.
And there's nothing wrong with that. Once you ACCEPT that a business should only care about maximizing profit, then you understand how to get a business to operate in an ethical manner: Make it profitable.
You can do that with consumer pressure, laws, taxes, penalties, subsidies, handouts....
So don't get upset that businesses are only interested in profits. Embrace it and make it work for you!