2011-01-09

Pirate Software, week 1: HTTPS Everywhere

Most web traffic on the net is transferred pretty much in clear text, dead simple to read by anyone between your computer and the destination computer. The protocol used is, as you may know, http. If this was the only way to communicate on the web, all our passwords would be stolen as soon as we sent them. Fortunately there is a cousin protocol called https where the "s" stands for "secure". It is in use in most cases where you login to a website (such as GMail). After you have logged in, traffic most often goes back to the insecure http protocol again.

Now, why isn't https used everywhere, all the time? Traditionally the reason has been performance, since https traffic is encrypted, which requires mindboggling long computations on the server. Lately it has been shown that https can be turned on by default for all traffic with very little penalty. GMail is such a product, so you can actually read all your Google email using https. Unfortunately, most sites out there are still using https for login only.

This is where the HTTPS Everywhere Firefox plugin from the Electronic Frontier Foundation comes in. It will do all the switching to https for you, automatically, for a whole bunch of sites:
  • Google Search
  • Wikipedia
  • Twitter
  • Facebook
  • bit.ly
  • Wordpress.com blogs
  • The New York Times
  • The Washington Post
  • Paypal
  • EFF
  • Tor
  • ...
So, a Google search for "tunisia" automatically becomes:
https://encrypted.google.com/search?q=tunisia
And if you click on the Wikipedia http link that looks like this:
http://en.wikipedia.org/wiki/Tunisia
The HTTPS Everywhere plugin will ensure that you are instead sent to this https link:
https://secure.wikimedia.org/wikipedia/en/wiki/Tunisia
If you use this Firefox plugin, the result is that it gets much much much harder to listen in to what you do on all of these websites mentioned above. If all web traffic was transformed from http to https, then it gets almost impossible for FRA to do any surveillance of Swedish web traffic.

Now, who are these Electronic Frontier Foundation guys? They are indeed one of the truly Good Guys on the net. Quote from their website:
When our freedoms in the networked world come under attack, the Electronic Frontier Foundation (EFF) is the first line of defense.
So, you can trust them!

The plugin is very simple to install, and just works! Get it now!

4 comments:

  1. Thanks for the inspiration to check around for a similar extension for Google Chrome! I found "KB SSL Enforcer" which seems to have similar functionality.
    https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof

    ReplyDelete
  2. Thanks for the comment! It was exactly the kind of feedback I was hoping for!

    ReplyDelete
  3. For the technical/paranoid people in the audience, the Certificate Patrol plug-in is an excellent companion to HTTPS-Everywhere.

    In short, Certificate Patrol keeps a record of which CA certificates you saw where and lets you know if when you visit a site, the certificate has changed.

    Reminiscent in many ways of the SSH security model,
    this allows you to detect man-in-the-middle attacks,
    even if the attacker has obtained a valid certificate
    for the site you are trying to contact. Considering
    that over 600 organizations in the world can create
    such certificates, this is not just a theoretical risk.

    ReplyDelete
  4. I don’t know how should I give you thanks! I am totally stunned by your article. You saved my time. Thanks a million for sharing this article.

    ReplyDelete