HTTPS Everywhere Firefox addon helps you encrypt web traffic

by mikeperry | June 18, 2010

Today the EFF and the Tor Project are launching a public beta of a new Firefox extension called HTTPS Everywhere.

This Firefox extension was inspired by the launch of Google's encrypted search option. We wanted a way to ensure that every search our browsers sent was encrypted, including the search box and URL bar features. At the same time, we were also able to encrypt most or all of the browser's communications with other popular sites that support SSL, but don't provide it by default.

Our approach is based on the NoScript STS implementation, but is more expressive in the manner in which HTTPS-enforcing rules are written.

This tends to work more effectively than NoScript because many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may not offer all pages and applications via HTTPS, or may only allow HTTPS activity via alternate subdomains that require URL rewriting and redirection. In particular, Google's SSL search and Wikipedia both require rather complex URL rewriting and exception filters to work properly.

HTTPS Everywhere should also perform more securely than DOM-based mechanisms such as the GreaseMoney-based SSL Certificates Pro and the Google Chrome-based KB Enforcer. These addons perform redirection at the DOM level, which causes many HTTP fetches to leak prior to the redirect to HTTPS.

We currently provide rule sets for Google Search, Wikipedia, Twitter, Facebook, The New York Times, The Washington Post, IxQuick, and many more popular sites. It is also possible to add user-defined rule files, and/or to submit rules to us for inclusion in future versions.

Note that some of these sites still include a lot of content from third party domains that are not available over HTTPS. As always, if the browser's lock icon is broken or carries an exclamation mark, you may remain vulnerable to adversaries that use active attacks or traffic analysis to compromise your privacy and security.

Comments

Please note that the comment area below has been archived.

June 17, 2010

Permalink

HTTPS everywhere is a great start.
I'm using it in my normal browser and the tor browser.

The biggest problem I have with it is having to edit files and restart the browser to modify the list.
An interface to easy add or remove sites and have it apply instantly without a browser restart would be very useful.
Would that be a possibility in a future release?

June 18, 2010

Permalink

This sounds useful. I've been using NoScript here to rewrite a whole host of domains to https for a good while now, those that support it that is. It'd be real handy if the HTTPS Everywhere list of supported sites could grow automatically during add-on updates though, as I find a lot of the time it's difficult to know exactly which sites support SSL without either first reading about it, or experimentation here and there to see how a particular site reacts when trying it (aside from the fact that regular expressions hurt my brain).

June 19, 2010

Permalink

I'm having problems with this. Search result hyperlinks from a site like Google that are covered by this plugin are not clickable in the browser. I have to middle-click to open them in a new tab and then hit enter in the address bar to retrieve the page (which the plugin will then happily rewrite to https).

The plugin itself seems like something that should probably have a proper online facility for user submissions to contribute (email is a bit basic), and could do with a much easier way to add and edit custom profiles. Navigating to the profile directory is an arse, as is creating XML files, along with figuring regular expressions. A GUI to simplify things could go a long way to help here.

The various profiles viewed through plugin 'options' could do with ordering and arranging better. If the profiles there were ever to expand much it'd be difficult to find anything. The "you can learn how to write your own rulesets " link doesn't work for me either.

/2p

"I'm having problems with this. Search result hyperlinks from a site like Google that are covered by this plugin are not clickable in the browser. I have to middle-click to open them in a new tab and then hit enter in the address bar to retrieve the page (which the plugin will then happily rewrite to https)."

The issue is the combination of HTTPS-Everywhere and the RequestPolicy plugin. RequestPolicy interprets a Google search result click as Google itself wanting access to the destination site, which shouldn't be the case as the hyperlink is a straight-through plain link to destination that shouldn't involve the Google domain requiring access to it. So I guess either RequestPolicy or HTTPS-Everywhere are at fault here as they're obviously not playing well together.

June 19, 2010

Permalink

Are there any plans in the works to produce a version of this extension for Chromium-based browsers (e.g., Google Chrome and SRWare Iron)?

June 20, 2010

Permalink

For TOR to be successful I think it needs a change of direction. It needs to be able to operate the way squid works, like a proxy server - platform independant.

The Australian Government is proposing to mandate that all Australian ISPs are required to keep a complete log of their client's browsing history whether the clients like it or not.

The logs would be less than useful if they contained only TOR entry points..:-)

June 21, 2010

Permalink

HTTPS Everywhere is a god send, I have been using other addons but this is exactly what I have wanted from you guys. Amazing!

June 21, 2010

Permalink

Hi!!!!!!!!!!!!!!!!!

I'm very smart!!!!!! Even if you think the opposite!!!! I found a vulnerability nobody of you noticed before!!! hahah!!!!!!!

Yeah!!!!!!!! I found a way to track what users are doing!!! It works against all tor bundles (for windows, linux and even against my factorbee!!! with or without polipo and torbutton!!!!) I wrote a demo too!!!!!!!!!!!!!!!

http://honeybeenet.altervista.org/fun/tracker/ (open it with tor!!!)

Great catch, this one!!!!

bye!!!!!!!!!!!!!
~bee!!!!!!

June 21, 2010

In reply to phobos

Permalink

Hi phobos!!!!!!!!!! You're very welcome!!!!!

So, this is the description and how it's supposed to work: you need to have a website and you've to insert the same 1x1 pixel image in all the pages of your website!! it hasn't to be a real image, but actually a php page generating one pixel image!! so, when a user is browsing your website, it's possible to count him only once!!!!! You may use one new etag also in every page with articles of your website to count the readings per article!!! Yea, no cookies and no javascrips are needed!!! but the counting and tracking will be accurate!! Well, in this way, Tor users are anonymous (fake IP) but they aren't hiding themselves in the crowd!!!! The hidden image can track all the IPs you're using, so it can follow you easily!!! In this way, it's possible to understand that if a tor exit node has loaded one page and a second later the same IP loads the hidden tracking image, it could be you!!!! this repeats for all pages with all the IPs you're associated with, as then you're sending the same ETag number every time to the tracking pixel!!! Well, this can be extended, for example one poisoned exit node can add one "ETag" header for you!! it can be done for the background picture of a particular website!!!! Yea, a bad exit node can do it against you!! So, even if you change tor nodes, you won't change the Etag ID!!!!!!!!! This thing could be extended further!!! But i don't want to give too many suggestions to Google!!!!!!!!!!
Just try to push one tracking pixel in all the pages you watch, and the tracking pixel itself will work in the same way as it would if you weren't using Tor, because the tracking COOKIE is storable into the Etag!!!
Yet i don't know if this can be used or being helpful for some kinds of attacks!!!! like the timing attacks!!!! maybe!! who knows!!
I think that this flaw can be solved patching Firefox, Polipo or Torbutton!!! But it would be better to have TorButton to do the job, because you need this protection even if you're using Firefox without Polipo!!!! As the Official Tor Bundle isn't using a custom build of Firefox and thus it cannot be patched, the only chance left is TorButton!!!!!! Hopefully, Mike will be able to do it right!!! but i don't want to help him in any way, he doesn't appreciate my helps, and i don't like him either!!!!!

I don't know what the other one here is saying about egos!!! I'm just happy!!!! i found the flaw!!!!!!!!!!!!!!! yeah!!! it would be strange if i weren't happy!!!!!!!

bye!!!!!!!!
~bee!!!!

Bee:

If you had bothered to properly explain yourself from the beginning, someone probably would have told you that Torbutton has addressed this issue for the past 3 years. However, despite our numerous requests for you to properly explain your ideas (even with exclamation points, if you must), you refuse to do so.

That people on #tor-dev on IRC had to reverse engineer your "exploit" is case-in-point.

At best this issue is a dup of Bug 523 on our tracker, where I state in the comments that it might be nice to provide a timer for clearing browser data, instead of requiring the user to toggle Torbutton.

Please see my comment on your bug for more information.

June 23, 2010

Permalink

Hello! Can i use two browsers with tor so each will show different IP's?

June 24, 2010

Permalink

Intriguing. Two questions. Is there any reason why there should not exist publicly available lists of vetted rule-sets, as there are publicly available address lists for other FF privacy extensions (e.g. AdBlock:EasyList)? Is there any reason that such a list of sites/pages for which the http/https identity has been verified could not be the basis for a conditional evaluation in the extension logic about whether the http (pre)fetch needs to occur (understanding that there would probably need to be a "freshness date" and possibly other controls)? And if the previous poster intended to indicate a preference for some kind of obfuscation that the http (pre)fetch originates from the same source as the https page load, I second the motion. Thanks to the Tor team for all the effort invested in this excellent resource.

June 26, 2010

Permalink

Google just started redirecting https search requests to http last night.
If you have this plugin, it redirects in a loop and you cannot use google at all :(

June 27, 2010

Permalink

What is this anonymous guy in his post above screaming about factorbee?
Should I be worried?

June 27, 2010

Permalink

the online security scanner reports that the version of firefox installed in the Tor bundle is insecure, when will there be an update?

heres the report from secunia.com
------------------
Installed on Your System in:
C:\program files\Tor Browser\Tor Browser\FirefoxPortable\App\Firefox\tbb-firefox.exe
Mozilla Firefox 3.5.x Mozilla Firefox 3.5.x 3.5.9 Mozilla Firefox 3.5.x

This installation of Mozilla Firefox 3.5.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 3.5.9, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 3.5.10.

June 28, 2010

Permalink

Please two weeks ago we were unable to connect tor application with one of our network in our country, please what next can we do...

June 28, 2010

Permalink

Please two weeks ago we were unable to connect tor application with one of our network in our country, please what next can we do...

June 28, 2010

Permalink

Gents pls can u pls help me out
my tor no more connects is it that my internet service provider has blocked it or u are carrying out server repairs

am writing from nigeria and i use MTN network to connect but npw it no more connects infact when u go to the tor band usage u can see any signal
\we use the default setting of 10.199.212.2:8080 to connect pls can u help

June 28, 2010

Permalink

Gentlemen
I thought i should write in to commend u all on the work u are doing the masses informed,
am writing from nigeria and i just came across torr for about 2months now and it has been the best and fastest internet software link i have ever seen, i say kudos. silver or gold have i none but i really give u my sincere moral and spiritual support.

For about i week now tor has not been working in nigeria,basically we use it with MTN network provider whose internet cost is on the high side despite millions of Dollars they make from millons of subcribers in the world largest black race.

I dont really know where torr is reparing their server of u have been cut off bye MTN.
I heard they invited some expertriates to cut the people off from the internet and it worked and after some time tor came back again.but now tor has not been connecting
so pls whats iswrong.

we connect to tor using this MTN default setting 10.199.212.2:8080
my fire wall lets me connect ports,8080
and then we use bridges

but now its not working and we have gone back to freedom which is slow and also cuts hourly,
wel we have used freegate,ultrasuf and they have all been blocked

so gentlemen pls do something about that,wen we connect the tor there is no movement in the bandwith and when u go to bridges it does not open it just shows new and later closes

I look forward to hearing and as wel as you solving the problem from you

sincerely yours

July 18, 2010

Permalink

I would be glad if d tor project could give us in nigeria a http/https proxy to connect to than d default proxy bcos d proxy keeps sending back errors like invalid url and more. For reply vinnie415@gmail.com my box thanks