User: Password:
Subscribe / Log in / New account

EFF: Encrypt the Web with HTTPS Everywhere

From:  EFF Press <>
Subject:  EFF: Encrypt the Web with HTTPS Everywhere
Date:  Thu, 04 Aug 2011 15:56:20 -0700
Message-ID:  <>
Archive-link:  Article

Electronic Frontier Foundation Media Release

For Immediate Release: Thursday, August 04, 2011


Peter Eckersley
   Senior Staff Technologist
   Electronic Frontier Foundation
   +1 415 436-9333 x131

Seth Schoen
   Senior Staff Technologist
   Electronic Frontier Foundation
   +1 415 436-9333 x107

Encrypt the Web with HTTPS Everywhere

Firefox Extension Defends Against Search Hijacking Schemes
and Improves Web Security

San Francisco - The Electronic Frontier Foundation (EFF),
in collaboration with the Tor Project, has launched an
official 1.0 version of HTTPS Everywhere, a tool for the
Firefox web browser that helps secure web browsing by
encrypting connections to more than 1,000 websites.

HTTPS Everywhere was first released as a beta test version
in June of 2010.  Today's 1.0 version includes support for
hundreds of additional websites, using carefully crafted
rules to switch from HTTP to HTTPS.  HTTPS protects against
numerous Internet security and privacy problems, including
the search hijacking on U.S. networks that was revealed by
an article published today in New Scientist magazine.  The
article, entitled "US internet providers hijacking users'
search queries," documents how a company called Paxfire has
been intercepting and altering search traffic on a number
of ISPs' networks.  HTTPS can prevent such attacks.

"HTTPS secures web browsing by encrypting both requests
from your browser to websites and the resulting pages that
are displayed," said EFF Senior Staff Technologist Peter
Eckersley.  "Without HTTPS, your online reading habits and
activities are vulnerable to eavesdropping, and your
accounts are vulnerable to hijacking.  Today's Paxfire
revelations are a grand example of how things can go wrong.
  EFF created HTTPS Everywhere to make it easier for people
to keep their user names, passwords, and browsing histories
secure and private.  With the revelation that companies
like Paxfire are out there, intercepting millions of
people's searches without their permission, this kind of
protection is indispensable."

HTTPS Everywhere 1.0 encrypts connections to Google Image
Search, Flickr, Netflix, Apple, and news sites like NPR and
the Economist, as well as dozens of banks.  HTTPS
Everywhere also includes support for Google Search,
Facebook, Twitter, Hotmail, Wikipedia, the New York Times,
and hundreds of other popular websites.

However, many websites have not implemented HTTPS at all.
On sites that are HTTP-only, users still have to live with
lower levels of privacy and security.

"More websites should implement HTTPS to help protect their
users from identity theft, viruses, and other security
threats," said Senior Staff Technologist Seth Schoen.  "Our
Firefox extension is able to protect people using Google,
DuckDuckGo or StartingPage for their searches.  But we
currently can't protect Bing and Yahoo users, because those
search engines do not support HTTPS."

HTTPS Everywhere has been downloaded millions of times
since last year's initial beta release.

To download HTTPS Everywhere for Firefox:

For more on implementing HTTPS in websites:

For this release:

About EFF

The Electronic Frontier Foundation is the leading civil
liberties organization working to protect rights in the
digital world. Founded in 1990, EFF actively encourages and
challenges industry and government to support free
expression and privacy online. EFF is a member-supported
organization and maintains one of the most linked-to
websites in the world at


To unsubscribe or manage your email options:

(Log in to post comments)

EFF: Encrypt the Web with HTTPS Everywhere

Posted Aug 5, 2011 19:12 UTC (Fri) by Wummel (subscriber, #7591) [Link]

No cake for Google Chrome users. The EFF says about the KB SSL enforcer:
<quote> but it does not appear to be implemented securely; when we tested it, it seemed to always use http before https, which means that your surfing habits and authentication cookies are not protected (this may be a limitation of the Chrome Extensions framework). </quote>
Well, I'll try it anyway.

EFF: Encrypt the Web with HTTPS Everywhere

Posted Aug 5, 2011 20:43 UTC (Fri) by dtlin (✭ supporter ✭, #36537) [Link]

You can always use Chrome's HSTS support to force HTTPS on a domain. chrome://net-internals/#hsts

EFF: Encrypt the Web with HTTPS Everywhere

Posted Aug 5, 2011 21:09 UTC (Fri) by josh (subscriber, #17465) [Link]

That requires support from the site; this doesn't.

EFF: Encrypt the Web with HTTPS Everywhere

Posted Aug 6, 2011 3:54 UTC (Sat) by AnthonyJBentley (guest, #71227) [Link]

No, Chrome lets you force HSTS even for sites that don’t send the relevant headers.

That said, it might not work for all cases that HTTPS Everywhere supports. For instance, the secure Wikipedia is at, not, and I doubt HSTS would do the required automatic remapping.

EFF: Encrypt the Web with HTTPS Everywhere

Posted Aug 5, 2011 21:27 UTC (Fri) by dwmw2 (subscriber, #2063) [Link]

This is mostly incompatible with the captive portals in hotels and airports, right? If we move to HTTPS everywhere, those login pages will never show up; the network will just not work?

EFF: Encrypt the Web with HTTPS Everywhere

Posted Aug 5, 2011 21:58 UTC (Fri) by cry_regarder (subscriber, #50545) [Link]

So just go to a makebelieve site so you get the hotel portal site. Then other stuff will load.

EFF: Encrypt the Web with HTTPS Everywhere

Posted Aug 5, 2011 22:04 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

They're doomed -- any well-meaning, or even greedy but harmless use of MitM techniques is doomed when bad guys use MitM attacks and force the use of countermeasures.

I imagine that somebody will make a few bucks fixing this, if we're lucky they'll fix it in a way that actually makes some kind of sense.

For example presumably devices are doing DHCP to get an IPv4 address to communicate with these dubious wireless networks, DHCP is extensible, adding a field for "URL of site you should visit if you need additional credentials to make use of this connection" shouldn't be beyond the wit of man.

In fact for all I know all this already exists.

EFF: Encrypt the Web with HTTPS Everywhere

Posted Aug 5, 2011 23:13 UTC (Fri) by cesarb (subscriber, #6266) [Link]

Another way would be to have a standard address to be hijacked. IIRC, some domestic routers hijack a specific address (which is owned by the manufacturer) to point to its built-in configuration page.

But even then, these captive portals are already broken. Both Opera Mini and Opera Mobile can use Opera's servers as an encrypted, authenticated and compressed proxy. AFAIK, Opera Mini requires it (it cannot work without Opera's proxies).

So, if you are using Opera Mini or Opera Mobile, you will not see these captive portals, unless you know they are there and that you have to disable that specific configuration option (and for Opera Mini, even that is not possible). The configuration option's name does not make it obvious that it will break captive portals; it only makes it obvious that it is supposed to make your browsing go faster (at least on Opera Mobile, the option is called "Opera Turbo").

EFF: Encrypt the Web with HTTPS Everywhere

Posted Aug 5, 2011 22:58 UTC (Fri) by cesarb (subscriber, #6266) [Link]

It would be great if the old pages in worked with it. Compare for instance and

EFF: Encrypt the Web with HTTPS Everywhere

Posted Aug 11, 2011 16:15 UTC (Thu) by intgr (subscriber, #39733) [Link]

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds