With HTTPS Everywhere, EFF Begins Plans to Eventually Deprecate 'HTTPS Everywhere' Extension

The Record reports: The Electronic Frontier Foundation said it is preparing to retire the famous HTTPS Everywhere browser extension after HTTPS adoption has picked up and after several web browsers have introduced HTTPS-only modes." "After the end of this year, the extension will be in 'maintenance mode' for 2022," said Alexis Hancock, Director of Engineering at the EFF. Maintenance mode means the extension will receive minor bug fixes next year but no new features or further development.

No official end-of-life date has been decided, a date after which no updates will be provided for the extension whatsoever.

Launched in June 2010, the HTTPS Everywhere browser extension is one of the most successful browser extensions ever released. The extension worked by automatically switching web connections from HTTP to HTTPS if websites had an HTTPS option available. At the time it was released, it helped upgrade site connections to HTTPS when users clicked on HTTP links or typed domains in their browser without specifying the "https://" prefix. The extension reached cult status among privacy advocates and was integrated into the Tor Browser and, after that, in many other privacy-conscious browsers. But since 2010, HTTPS is not a fringe technology anymore. Currently, around 86.6% of all internet sites support HTTPS connections. Browser makers such as Chrome and Mozilla previously reported that HTTPS traffic usually accounts for 90% to 95% of their daily connections.
From EFF's announcement: The goal of HTTPS Everywhere was always to become redundant. That would mean we'd achieved our larger goal: a world where HTTPS is so broadly available and accessible that users no longer need an extra browser extension to get it. Now that world is closer than ever, with mainstream browsers offering native support for an HTTPS-only mode.

With these simple settings available, EFF is preparing to deprecate the HTTPS Everywhere web extension as we look to new frontiers of secure protocols like SSL/TLS... We know many different kinds of users have this tool installed, and want to give our partners and users the needed time to transition.
The announcement also promises to inform users of browser-native HTTPS-only options before the day when the extension reaches its final sunsetting — and ends with instructions for how to activate the native HTTPS-only features in Firefox, Chrome, Edge, and Safari, "and celebrate with us that HTTPS is truly everywhere for users."

Sort out DNSSEC ?

[johnjones]

sort out DNS security by implementing DNSSEC - its always DNS is a little tired now...

Re:Sort out DNSSEC ?

[fibonacci8]

Or better yet, find a DNS provider you trust that supports both DNSSEC as well as DNS over TLS or HTTPS (pick your poison). Not letting people meddle with your connections is good. Limiting the amount of information to be slurped up by your ISP is even better.

tl;dr DNSSEC alone still leaks unnecessary information.

domains need to support DNSSEC

[johnjones]

providers sure but the source has to be signed...

ESNI Everywhere

[martynhare]

Not just because every major OS now supports DNS-over-HTTPS but also because if everyone used ESNI and refused unencrypted names, then countries implementing censorship would begin to fail.

Re:

[c-A-d]

No, they'll just do this: https://www.f5.com/labs/articles/threat-intelligence/kazakhstan-attempts-to-mitm-itscitizens

Browsers have blocked Kazakh interception before

[tepples]

The last few times Kazakhstan issued a root certificate to backdoor all HTTPS connections, such as in fourth quarter 2015 [slashdot.org] and in fourth quarter 2020 [slashdot.org], the major web browser publishers pushed an update to block use of these root certificates.

Re:

[c-A-d]

I should probably know this, but is it possible for a web server to detect if this sort of MITM has occurred and to reject the connection?

If not, perhaps the specification needs to include this in the future.

Re:

[tepples]

is it possible for a web server to detect if this sort of MITM has occurred and to reject the connection?

To the web server, the MITM box looks like a carrier-grade network address translation (CGNAT) gateway in front of hundreds or thousands of legit clients.

DNS over HTTPS is a hideous abortion

[Viol8]

Hopelessly inefficient and slow. The HTTP protocol was not designed for small data packets such as DNS , the overhead in comparison is enormous and given the number of DNS queries made every second its a huge burden on networks everywhere. Not to mention the extra power it takes in the data centre which all adds up.

Really and truly....

[rmdingler]

You can count some of your wins in the realm of victory that renders your mission obsolete... ephemeral opposition to your stated goal is yeti/nessie shit.

Re:

[The Evil Atheist]

Hearing loss in one eye you say...

Re:

[bn-7bc]

Ok you appear to be a copu paste troll but in case I'm wrong about this, your webhosts requirement for photo iD might be visa requirement or government regulations. As for paypal, yea I've heard storries which I can't verify that are sort of the same as yours so maybe, personally I've had 0 problems with them, maybe I'm just lucky. (Dating) sites or any other site for that matter might have problems someyimes, but if it persists drop the webmaster a line describing the problem most webmasters apreciate tg

Snowden's Great Success

[Ksevio]

This really was one of the greatest successes in privacy that Snowden's releases got going. Along with Let's Encrypt making it easy and cheap, almost every site out there is HTTPs these days

Re:

[cheekyboy]

What ever happened to simple websites, just plain information, no logins required, no javascript needed, just pure links.

Does everything need to be so appy.

Oh and security is great for IoT hardware, that now needs to be $20 worth of chips, rather than a $1 chip to do HTTPS. Which also cannot ever upgrade its SSL code or its root cert list.

Nothing wrong with http for just reading info/rss etc..

Authenticating the web server to you

[tepples]

What ever happened to simple websites, just plain information, no logins required, no javascript needed, just pure links.

Being able to trust "just plain information" presented on a website requires being able to trust that your browser is connecting to a server operated by the domain owner. HTTPS provides this. Case in point: Though ISPs can and do inject ads into HTML documents delivered over cleartext HTTP, ISPs almost never try that with HTTPS because tampering is so much more visible.

Re: Authenticating the web server to you

[martynhare]

HTTP could implement a signing-only mode using TOFU with RSA/DSA keys to cater for that. Webmasters could then also apply to have their key fingerprints preloaded in a database. Integrity is preserved which protects against manipulated pages, while ISPs can cache data and security devices can perform a proper analysis without needing to decrypt and repack data. The best part is that it could be implemented as backwards compatible with older web browsers, allowing older computer systems to carry on working

Intercepted since day one

[tepples]

HTTP could implement a signing-only mode

I'd be interested to see a patch implementing support for signed cleartext connections in either major web browser engine.

Webmasters could then also apply to have their key fingerprints preloaded in a database

What is the difference between this and Certificate Transparency?

Re:

[martynhare]

Well Certificate Transparency is just a public log of issuances by each central authority to try and catch bad behaviour, it does not actually enforce anything. With that said, I forgot that there is already a proper solution for this in the form of DANE, where one could just have a record for the corresponding fingerprint value. With DNSSEC and encrypted/signed DNS queries, this would eliminate the need for people to submit anything to a specialised database,

Re:

[thegarbz]

Oh and security is great for IoT hardware, that now needs to be $20 worth of chips, rather than a $1 chip to do HTTPS.

If you need $20 worth of chips to do HTTPS then you're doing something very wrong and I suggest you leave the engineering to people who know what they are doing.

Nothing wrong with http for just reading info/rss etc..

It's not up to you to decide if someone else is being persecuted by someone for reading what you wrote.

Re: Snowden's Great Success

[deepthought90]

And yet there are so many websites where I'm just reading information - no security required. Think of the carbon footprint for unnecessarily encrypting html traffic :-)

Does info come from the expected domain?

[tepples]

For reading information, HTTP is fine.

For reading information and making sure that the information actually comes from the expected domain and not an intercepting proxy, HTTPS is required. You're technically correct that encryption is unnecessary to detect tampering by a proxy. However, HTTPS currently lacks signing-only cipher suites.

Re:

[AmiMoJo]

The other issue is that trying to figure out what needs encryption and what doesn't is not trivial, so the safest thing to do is just encrypt everything.

It's a false sense of privacy.

[brunes69]

If you think the major world government intelligence agencies have just let the web move to HTTPS while sitting on your hands, you really do have the wool pulled over your eyes.

I guarantee they have access to all of the root certificates and also the private keys for most major web companies. And we know from rooms like 641A that they can MITM anything on demand.

They can decrypt anything they want, and do.

Re:

[sound+vision]

In practice, they get the data anyway, it's trivial for them to bleed it out of both endpoints. Unless you browse on FreeBSD and don't use social media, I guess. (And your super secret websites don't turn out to be honeypots.)

Everyone who needed HTTPS already used it, without a browser plugin. Except for a few low-effort janky web forums, where you should be using a throwaway password anyway, because you have no idea how they store it on their end.

I suppose it was a success for Google, since it cut ISPs out

Still not everywhere

[The Evil Atheist]

I have it turned on in my browser and I regularly come across sites that I have to say to view the HTTP site.

Huh?

[backslashdot]

This is major premature. Unless you are a security nerd and know how to set your preference settings, Chrome 94 (the latest version) defaults to unencrypted HTTP. And yes, that is bad. A lot of people stupidly believe that http is OK when they are visiting some random useless website. But what they do not understand is that an attacker anywhere on the network between your wifi and the website can inject traffic into the http stream. So what? They can inject a browser exploit. A browser exploit can be used to take over your machine remotely, your webcam, monitor and inject whatever onto your computer. Then what are you going to do?

Re:Huh?

[AmiMoJo]

Chrome has defaulted to HTTPS since version 90, released earlier this year.

Since 2018 Chrome has also been flagging HTTP sites as "not secure" and warning the user if they try to submit a form on such a site.

Re:Huh?

[MeNeXT]

If a browser is so insecure that some arbitrary code can be inserted and gain control of your system, what makes you so sure that an encrypted communication stream will protect you? Sites insert code from other locations on a regular basis even when you are browsing only with encrypted connections. Many players are vying for this position including the 3 main OS providers. This can be seen by the many instances of unscrupulous app developers, including the 3 major OS developers. Microsoft, Apple and Google. Encryption and certification do not resolve the problem. Laws with teeth need to be in place first to hold people and corporations accountable.

If they have the resources to place themselves between my browser and the sites I visit then it's cheaper for them to buy an ad on a site that I do visit to target me than to insert themselves in the middle.

can we fix browsers for local sites now?

[kbrannen]

Great, it switches to https when going to a public site is a win and that's now in most browsers by default.

Now, can we fix the browsers so that if I go to localhost, .local, or other non-publically routable IP that it stop bugging me telling me the site is unsafe and making me click multiple agreements that I'm taking my life into my own hands? If the site is non-publically routable I can't get get a real SSL cert and self-signed is pretty useless, so this only frustrates users.

Re:can we fix browsers for local sites now?

[tepples]

You don't need a publicly routable website. You need only a fully qualified domain name into which you can insert a TXT record for the dns-01 challenge.

Re:

[Octorian]

I still wonder how the fuck I'm supposed to run a Let's Encrypt bot on my Ethernet switch, or my Wireless AP, or the embedded device that controls my sprinklers. Stuff like this is why the "SSL All The Things!" people kinda piss me off. There are plenty of perfectly legitimate cases where paid SSL certs are impossible to justify and short-term SSL certs are impossible to manage.

Re:

[bn-7bc]

Hou might not beable to run it on the switch, bur raspberry pis ( or equivalents) are cheap( if you dont want to acationallu use some cpu in an existing server ) run certbot there and just autobate the upload ofthe new certs to your switch, probkem solved

the end of the open source web....

[lpq]

It's great, right? No one will be able to Download things from the web unless they have the latest, standards approved ssl lib on their system to access an all encrypted web. Open Source? Have you wondered, at all, about why you need to have a full approved encryption stack to access "open source".

Try using an old enough browser and you find yourself shut out of many open source sites that will upgrade you to https -- but with requirements on it being new enough to talk to the latest ssl suites.

The mirr

Did your ISP substitute malware?

[tepples]

It really is a shame all of the open source sites had to fall for this fudd and didn't keep offering the choice of clear-open-source text along side an encrypted link.

Say you download a GNU/Linux distribution installer image over cleartext HTTP. How can you be sure that your ISP didn't substitute an image full of malware?

Re:

[lpq]

Open Source SW has long been signed. That provides integrity.

Re:

[bn-7bc]

You are right, but the verification often takes manual staps, and at any rate takes soe time, with tls the en user (you) gets the MTM protection for 0 effort on your part. Ofc if the site serves a comprimised image this is of no help, but if the attacker goes to the trobke of compromising the file server, pruducing a fake immage, wat is to stop them from editing a hash on a wiki?No one is aiming for perfect here, TLS is no magic buit, but it's a step in the right direction. As for IoT devices, to bldy bad

Re:

[OolimPhon]

One day you'll be able to afford to buy a proper keyboard.

Re:

[lpq]

If I'm downloading install images, most installers allow the signing of the image, and, perhaps the binary. The integrity check is builtin to the installer and requires extra steps to avoid. Examples include install images in the RPM (RedHat/Suse, et al) format, among others.

Besides, I have not suggested disabling https but NOT disabling 'http', which is what the current methods do.

Re:

[tepples]

Examples include install images in the RPM (RedHat/Suse, et al) format, among others.

You would still need to obtain and provide a fingerprint of the publisher's public key when installing the package manager (dnf, apt, pacman, etc.) for the first time, such as when installing an operating system distribution from a USB drive image. How would these fingerprints be securely distributed?

Re:

[lpq]

They could be distributed the same way the keys for the https system distributes keys. The publisher would get a signing key that can be used to sign code in addition to signing secure web traffic. They can be exactly the same type of key.

Encryption keys allow specification of how they can be used when they are issued. No reason why such a key couldn't be used to sign code as well as web traffic.

Code signing has historically required OV cert

[tepples]

No reason why such a key couldn't be used to sign code as well as web traffic.

Publishers of major desktop computer operating systems have behaved as if there is some reason or excuse to insist that code signing certificates provide at least "organization validated" level of assurance (in the DV vs. OV vs. EV sense). I don't know what this reason or excuse is. I guess it might have something to do with compromise of a download server having longer-lasting consequences for users than compromise of an interactive web application server, or the fact that major desktop operating systems d

Re:

[lpq]

Good point.

The current practices mean that certs used to verify integrity on downloaded sources that are using 'https' as certification that there has been no code tampering are using the lower level (w.r.t DV/OV/EV) of certification and skirting requirements that might be applied to the code-certification usage of a certificate.

In other words the lower-requirement web-traffic signing certs are being misused to verify code integrity, whereas real code integrity certs might require a higher internal verific

Older Servers?

[tmjva]

What about older antique servers that never got HTTPS ability?

That means my 30 year old HP3000 website running Apache 1.2 may not run in your browser.

empire.game-host.org

(The site may be down due to a neighborhood Verizon outage, been a week, check again tomorrow.)