HTTPS Everywhere is one of those extensions that only Firefox makes possible. Developed by the Electronic Frontier Foundation, HTTPS Everywhere automatically redirects you to the encrypted version of websites. It works on Google, Wikipedia and other popular websites.
Encryption ensures no one can eavesdrop on your web browsing. Whether you’re searching on Google, browsing Wikipedia or sending private messages on Facebook, your information is sent in the clear if you’re not using encryption.
Getting the Extension
You won’t find HTTPS Everywhere in the official Firefox add-ons gallery; you’ll have to get it directly from the Electronic Frontier Foundation’s site. Just go to the HTTPS Everywhere page and click the big Install HTTPS Everywhere button.
Taking a Tour
HTTPS Everywhere adds a button to Firefox’s toolbar; you can click the button to view its status and change its settings. Let’s head over to MakeUseOf with HTTPS Everywhere installed and see what it does.
HTTPS Everywhere is enforcing encrypted connections to many services we use on MakeUseOf, although many may use encryption by default. With HTTPS Everywhere, you don’t depend on the webmaster to set up their site properly; you get encryption everywhere you go — with every service that supports it, of course.
Plug a search into the Google search box included with Firefox and you’ll go straight to Google’s encrypted search page. Any searches you make with Google’s HTTPS site are encrypted before they’re sent to Google, so no one can eavesdrop on them. Without the extension, people on public Wi-Fi networks can see all your searches.
Sure, you could head over to encrypted.google.com and start your search from there, maybe even install a search plug-in for Google’s encrypted search engine and use that instead. But HTTPS Everywhere does everything for you.
Click a link to Wikipedia and you’ll see the same thing. HTTPS Everywhere turns every Wikipedia link on the web into a link to Wikipedia’s secure, encrypted site.
What It Really Does
So what does HTTPS Everywhere actually do? We can sneak a peek at our web browsing traffic with WireShark and see for ourselves.
Let’s plug “super secret search” into Google’s normal, unencrypted search engine. With Wireshark capturing our traffic, this is what we see:
There it is. Our super secret search is being sent in plain text for all the world to see. On an open Wi-Fi network? People around you can see your super secret search. Now imagine you’re sending a private message on Facebook and you’ll see why this is important. Facebook has a secure browsing option, but having HTTPS Everywhere installed will automatically enable it for you. You won’t have to worry about finding the option on every website you use.
Now let’s turn on HTTPS Everywhere and perform the search again. HTTPS Everywhere automatically uses Google’s encrypted search engine.
Our communication with Google is happening over HTTPS now. An eavesdropper can see we’re contacting Google’s servers, but that’s all they can see — they don’t know the specific page we’re using or what type of data is getting sent back and forth.
Tools like Firesheep do the same sort of thing, but with an easier-to-use interface. You don’t have to understand networking to snoop with Firesheep.
HTTPS Everywhere has a pretty barebones configuration screen. You can see the list of websites it supports and disable them if you encounter problems. You can also enable rules that are disabled by default, possibly because they break certain features on a site.
Want to add your own HTTPS Everywhere rules? You can’t do that from this window, but the EFF has a guide for doing that yourself. Bear in mind that you can only enable HTTPS for a site if that site has an HTTPS version that isn’t used by default. HTTPS Everywhere includes most popular sites that have HTTPS versions, so you probably shouldn’t have to create any rules yourself.
Other Web Browsers
Like the idea, but use another web browser? No other browser has the extensions framework that makes HTTPS Everywhere possible. Google Chrome is closest to getting there, but Internet Explorer and Safari users are out of luck.
If you use Chrome, you can try KB SSL Enforcer, which we’ve covered here. KB SSL Enforcer doesn’t work as well as HTTPS Everywhere; it fetches the HTTP page before the HTTPS page. The EFF promises to release HTTPS Everywhere for Chrome when Chrome’s extension framework evolves to make it possible.
HTTPS Everywhere is definitely a compelling reason to switch to Firefox if you use another web browser — or is it? Do you prefer another browser anyway? Let us know in the comments.