HTTPS Everywhere

From Wikipedia, the free encyclopedia
Jump to: navigation, search
HTTPS Everywhere
HTTPS Everywhere logo.png
Developer(s) The Tor Project and the Electronic Frontier Foundation
Stable release 5.0.3 / 30 April 2015; 0 days ago (2015-04-30)[1]
Preview release 5.0development.4 / 20 March 2015; 41 days ago (2015-03-20)[1]
Development status Active
Written in JavaScript
Type Browser extension
License GNU GPL v3+ (most code is v2 compatible)[2]
As of April 2014

HTTPS Everywhere is a free and open source web browser extension for Google Chrome, Mozilla Firefox and Opera, a collaboration by The Tor Project and the Electronic Frontier Foundation.[3] Its purpose is to automatically make websites use the more secure HTTPS connection instead of HTTP.[4]


HTTPS Everywhere was inspired by Google's increased use of HTTPS,[5] and is designed to make HTTPS less difficult to use.[6] The code in part is based on NoScript's HTTP Strict Transport Security implementation, but HTTPS Everywhere is intended to be simpler to use than NoScript.[7] The EFF provides information for users on how to add HTTPS rulesets to HTTPS Everywhere,[8] and information on which websites support HTTPS.[9]

Version history[edit]

A public beta of HTTPS Everywhere was released in 2010,[10] and version 1.0 was released in 2011.[11] Version 2.0.1 for Firefox was released in February 2012, and a beta for Google Chrome was released at the same time.[12] Version 3.0 was released in October 2012.[13] Version 4.0 was released in August 2014.[14] Version 5.0 was released April 2015.[15]

SSL Observatory[edit]

The SSL Observatory is a feature in HTTPS Everywhere introduced in version 2.0.1[12] which analyzes public key certificates to determine if certificate authorities have been compromised,[16] and if the user is vulnerable to man-in-the-middle attacks.[17] The ICANN Security and Stability Advisory Committee (SSAC) notes that the dataset used by the SSL Observatory often treats intermediate authorities as different entities, thus inflating the number of certificate authorities. The SSAC criticizes SSL Observatory for potentially significantly undercounting internal name certificates, and notes that it uses a data set from 2010.[18]


Two studies have recommended building in HTTPS Everywhere functionality into Android browsers.[19][20] In 2014, a version was released for Android phones.[21] In 2012, Eric Phetteplace described it as "perhaps the best response to Firesheep-style attacks available for any platform".[22] In 2011, Vincent Toubiana and Vincent Verdot pointed out some drawbacks of the HTTPS Everywhere plugin, including that some services are still only available through HTTP, the list of services which support HTTPS needs maintaining, and that some services are redirected to HTTPS even though they are not yet available in HTTPS, not allowing the user of the extension to get to the service.[23]

See also[edit]


  1. ^ a b "Changelog.txt". EFF. 2014-10-15. Retrieved 2015-03-23. 
  2. ^ HTTPS Everywhere Development Electronic Frontier Foundation
  3. ^ "HTTPS Everywhere | Electronic Frontier Foundation". Retrieved 2014-04-14. 
  4. ^ "HTTPS Everywhere reaches 2.0, comes to Chrome as beta - The H Open: News and Features". 2012-02-29. Retrieved 2014-04-14. 
  5. ^ "Automatic web encryption (almost) everywhere - The H Open Source: News and Features". 2010-06-18. Archived from the original on 2010-06-23. Retrieved 2014-04-15. 
  6. ^ Kate Murphy: New hacking tools pose bigger threats to Wi-Fi users. The New York Times, February 17, 2011.
  7. ^ "HTTPS Everywhere | Electronic Frontier Foundation". Retrieved 2014-06-04. 
  8. ^ "HTTPS Everywhere Rulesets | Electronic Frontier Foundation". 2014-01-24. Retrieved 2014-05-19. 
  9. ^ "HTTPS Everywhere Atlas". Retrieved 2014-05-24. .
  10. ^ Mills, Elinor (2010-06-18). "Firefox add-on encrypts sessions with Facebook, Twitter". CNET. Retrieved 2014-04-14. 
  11. ^ Scott Gilbertson   (2011-08-05). "Firefox Security Tool HTTPS Everywhere Hits 1.0 | Webmonkey". WIRED. Retrieved 2014-04-14. 
  12. ^ a b "HTTPS Everywhere & the Decentralized SSL Observatory | Electronic Frontier Foundation". 2012-02-29. Retrieved 2014-06-04. 
  13. ^ "HTTPS Everywhere 3.0 protects 1,500 more sites | Electronic Frontier Foundation". 2012-10-08. Retrieved 2014-06-04. 
  14. ^ "". 2014-12-31. Retrieved 2014-12-31. 
  15. ^ "". 2015-04-05. Retrieved 2015-04-03. 
  16. ^ Lemos, Robert (2011-09-21). "EFF builds system to warn of certificate breaches | Encryption". InfoWorld. Retrieved 2014-04-14. 
  17. ^ Vaughan, Steven J. (2012-02-28). "New 'HTTPS Everywhere' Web browser extension released". ZDNet. Retrieved 2014-04-14. 
  18. ^ "1 SSAC Advisory on Internal Name Certificates" (PDF). ICANN Security and Stability Advisory Committee (SSAC). 15 March 2013. 
  19. ^ Fahl, Sascha et al. "Why Eve and Mallory love Android: An analysis of Android SSL (in)security" (PDF). Proceedings of the 2012 ACM conference on Computer and communications security (ACM, 2012). 
  20. ^ Davis, B.; Chen, H. (2013). "Retro Skeleton". Proceeding of the 11th annual international conference on Mobile systems, applications, and services - Mobi Sys '13. p. 181. doi:10.1145/2462456.2464462. ISBN 9781450316729.  edit
  21. ^ Brian, Matt (2014-01-27). "Browsing on your Android phone just got safer, thanks to the EFF". Retrieved 2014-04-14. 
  22. ^ Kern, M. Kathleen, and Eric Phetteplace. "Hardening the browser." Reference & User Services Quarterly 51.3 (2012): 210-214.
  23. ^ Toubiana, Vincent; Verdot, Vincent (2011). "Show Me Your Cookie And I Will Tell You Who You Are". arXiv:1108.5864 [cs.CR].