HTTPS Everywhere | Electronic Frontier Foundation
HTTPS Everywhere is produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by using a clever technology to rewrite requests to these sites to HTTPS.
Questions and Caveats
Sadly, many sites still include a lot of content from third party domains that is not available over HTTPS. As always, if the browser’s lock icon is broken or carries an exclamation mark, you may remain vulnerable to some adversaries that use active attacks or traffic analysis. However, the effort that would be required to eavesdrop on your browsing should still be usefully increased. Update: in recent versions of Firefox, Mozilla has removed the broken padlock indicator. Now, the only difference between a secure and insecure HTTPS deployment is the blue or green tint on the left of the address bar for secure deployments
Answers to common questions may be on the frequently asked questions page.
HTTPS Everywhere can protect you only when you’re using sites that support HTTPS and for which HTTPS Everywhere include a ruleset. If sites you use don’t support HTTPS, ask the site operators to add it; only the site operator is able to enable HTTPS. There is more information and instruction on how server operators can do that in the EFF article How to Deploy HTTPS Correctly.
Development And Writing your own Rulesets
You can help us test forthcoming site support and new features by installing the development branch of the extension. HTTPS Everywhere uses small ruleset files to define which domains are redirected to https, and how. If you’d like to write your own ruleset, you can find out how to do that here. Information about how to access the project’s Git repository and get involved in development is here. Send feedback on this project to the https-everywhere AT eff.org mailing list. Note that this is a public and publicly-archived mailing list. You can also subscribe. Send new rewrite rules or fixes to existing rewrite rules to the https-everywhere-rules AT eff.org mailing list. Note that this is a public and publicly-archived mailing list. You can also subscribe.
Our code is partially based on the STS implementation from the groundbreaking NoScript project (there are other STS implementations out there, too). HTTPS Everywhere aims to have a simpler user experience than NoScript, and to support complex rewriting rules that allow services like Google Search and Wikipedia to be redirected to HTTPS without breaking anything. It also handles situations like https:// pages that redirect back to http:// in a reasonable manner. In an ideal world, every web request could be defaulted to HTTPS. Unfortunately, there’s no way to know that what you get from requesting https://www.domain.com/page is the same as what you get from requesting http://www.domain.com/page. So the only way to switch every page to https is to fetch the page insecurely first. There is a Chrome extension called KB SSL Enforcer which attempts to take that approach, but it does not appear to be implemented securely; when we tested it, it seemed to always use http before https, which means that your surfing habits and authentication cookies are not protected (this may be a limitation of the Chrome Extensions framework).