To S or not to S, that is the question; the S in HTTP vs HTTPS, that is. HTTP stands for Hypertext Transfer Protocol. It is the English of the Internet (or Internets, depending on who you are talking to). HTTPS stands for Hypertext Transfer Protocol Secure; it takes HTTP and applies asymmetric encryption methodologies to create secure connections. HTTP is used by all websites. In addition to HTTP, many websites – typically websites that have logins or eCommerce related activities – support HTTPS. (dotTech does not support HTTPS at this time.)
The issue with HTTP, of course, is that it isn’t “secure”. People with the the right access and knowledge could potentially read your Internet traffic. HTTPS, on the other hand, uses asymmetric encryption ensuring no one can packet snoop your bank balance away. However, HTTPS isn’t all smiles. HTTPS may be more secure than HTTP, but that security comes at a cost: It takes more money, resources, and time to build and operate HTTPS websites than it does HTTP websites. (As an analogy, think about the differences between open a Word document and opening a Word document encrypted with AxCrypt.)
In light of recent technological advantages (i.e. increased processing capacity, cheaper tech, etc.) and increased fraud, in recent years there has been a push for websites to give preference to HTTPS. HTTPS Everywhere is an addon for Firefox that puts you one step closer to HTTPS heaven.
What Is HTTPS Everywhere
HTTPS Everywhere is an addon jointly developed by the Electronic Frontier Foundation and The Tor Project. Simply put, HTTPS Everywhere forces websites to use HTTPS, when applicable.
How It Works
HTTPS Everywhere seamlessly redirects HTTP requests to HTTPS. For example, after installing HTTPS Everywhere, going to http://google.com results in you being sent to https://encrypted.google.com instead. This redirection works when you manually visit a website (i.e. type it in the URL bar) or if you click on a link to a website (i.e. clicking on a link located in a dotTech article).
HTTPS Not-so-everywhere
It should be noted HTTPS Everywhere does not work for *all* websites.
Firstly, HTTPS Everywhere is rule-based. It has a database that contains a list of websites; each website has a rule associated with it telling Firefox what to do when the HTTP version of the website is visited. When these websites are visited via HTTP, users are automatically sent to the HTTPS version based upon what the rule states. HTTPS Everywhere only works for websites that it has rules created for. Don’t fret, though: HTTPS Everywhere comes with rules for hundreds of websites (thousands?)…
…and users have the ability to add their own custom rules.
Secondly, not all websites support HTTPS. HTTPS is strictly a server-based protocol in the sense that system/website admins have to setup websites to use HTTPS — it isn’t something you can activate on the user’s end. In the words of the EFF, “HTTPS Everywhere depends entirely on the security features of the individual web sites that you use; it activates those security features, but it can’t create them if they don’t already exist.”
Ahhhhh websites won’t load properly
The HTTPS version of a website may be different than the HTTP version of a website. For example, http://livejournal.com is different than https://livejournal.com; or https://encrypted.google.com does not contain the links to Google services in the Google bar located at the top whereas http://google.com does. The different between HTTP and HTTPS versions of websites is out of HTTPS Everywhere’s control. Website admins control how their websites behave, look, and feel. HTTPS Everywhere cannot change websites.
If you find the HTTPS version of a website to be undesirable and would like to go back to the HTTP version, you can disable HTTPS Everywhere for the particular website by clicking on the HTTPS Everywhere icon and disabling HTTPS for that particular website:
HTTPS does not always mean secure
Ever notice the broken lock in your browser bar? The broken lock shows up when you are on an HTTPS page but the HTTPS page has some HTTP content (i.e. unsecure connections) embedded in it. (An example of this is how the HTTPS version of Wikipedia pulls images from WikiMedia.org which has no HTTPS version.) HTTPS Everywhere cannot protect against this. As I mentioned earlier, HTTPS Everywhere cannot change websites. If an HTTPS webpage contains unsecure content, HTTPS Everywhere will not be able to magically turn the unsecure content into secure content. So a broken lock will still be a broken lock. Be aware of this.
Final Words and Download Link
I am sitting on the fence in regards to the need of using HTTPS for every website. I am not sure the lack of content (i.e. websites that have different HTTPS versions than HTTP versions) and the extra drain on bandwidth and computing resources is worth it to secure my Google search results. I understand the need to use HTTPS for logins or eCommerce or any other type of form input, but for just surfing the web? Iunno, I am still not convinced. However, for those that do desire it, HTTPS Everywhere is not a perfect solution but it is better than what you have right now: Nothing. You can grab HTTPS Everywhere from the links below. (HTTPS Everywhere is not available in Mozilla’s Firefox addons repository because EFF does not agree with Mozilla’s privacy policy. You must download HTTPS Everywhere from EFF’s website.)