HTTPS Everywhere

from Wikipedia, the free encyclopedia
HTTPS Everywhere

HTTPS Everywhere icon.svg
Basic data

developer Electronic Frontier Foundation
Publishing year 2010
Current  version 2019.5.13
(13.05.2019)
programming language JavaScript , Python
category Browser plug-in
License GPL v3
German speaking Yes
www.eff.org/https-everywhere

HTTPS Everywhere is a browser plug-in for the web browsers : Mozilla Firefox , Opera and, since 2012, also for Google Chrome , with the aim of automatically requesting connections to websites in encrypted form. It is being developed as free software by the Electronic Frontier Foundation (EFF) in collaboration with the Tor Project .

functionality

By default, connections to most websites are established using the unencrypted HTTP protocol. This allows attackers to eavesdrop on or even manipulate network traffic. To counteract this, many website operators also offer an encrypted connection via HTTPS . In cases in which the use of the encrypted connection is optional, it is up to the user to ensure that the requested website is transmitted via HTTPS.

At this point, HTTPS Everywhere does the work for the user and replaces HTTP requests with HTTPS requests, if the server supports this. This works with the pages that have been checked by the EFF for HTTPS suitability and added to the internal list of the add-on. More complex redirects can be defined in these lists with the help of regular expressions .

Such rules for individual websites can be activated or deactivated in the settings. It is possible your own rules ( English rulesets to be defined) for specific sites. If you want to publish your own rules for other users, you have the option of making them available on GitHub using a pull request or sending them to a specially set up e-mail address.

With version 4.0.2, an option has been implemented that allows you to completely block insecure http connections with one click.

SSL Observatory

From version 2.0 the add-on contains the SSL Observatory . When enabled, the add-on checks when calling a Website SSL - certificate with a provided on the EFF server list.

In this way it can be checked whether the certificate delivered is what is known to belong to a website or whether a man-in-the-middle attack is taking place. The user is also warned if insecure cryptographic methods are used.

The EFF states that it treats incoming inquiries as anonymously as possible.

Continuous rule set updates

With version 2018.4.3 published on April 3, 2018, the "Continual Ruleset Updates" function was introduced. This update function carries out a rule set comparison within 24 hours in order to always be able to use the most current https rules possible. A website called "www.https-rulesets.org" was set up by the EFF specifically for this purpose. This option, called "Update rule sets automatically", can be deactivated in the add-on settings. Before this update mechanism was introduced, the rule sets were only updated for app updates. Even after this function has been introduced, so-called "bundled rulesets", ie implemented rule sets, are often included with app updates.

criticism

By checking the certificates using the SSL Observatory , the web addresses accessed are transmitted to the EFF. This function is therefore questionable under data protection law, but it must also be activated explicitly by the user.

Not all websites are switched to a secure connection (https), as the name suggests (English: HTTPS Everywhere , German: HTTPS everywhere ), but only certain websites that are entered in the so-called HTTPS Everywhere Atlas database.

Web links

Individual evidence

  1. HTTPS Everywhere. In: HTTPS Everywhere. Electronic Frontier Foundation, accessed May 28, 2019 .
  2. Changelog. In: Changelog.txt. Electronic Frontier Foundation, accessed May 28, 2019 .
  3. HTTPS Everywhere now also for Chrome. In: heise Security . March 2, 2012, accessed July 12, 2016 .
  4. Automatic web encryption for (almost) everywhere. In: heise Security. June 18, 2010, accessed July 12, 2016 .
  5. HTTPS Everywhere Rulesets: Testing and Submitting. In: eff.org. Retrieved February 28, 2016 .
  6. HTTPS Everywhere Changelog (English)
  7. https-everywhere now delivers new rulesets without upgrading extension. In: bleepingcomputer.com. April 5, 2018, accessed July 11, 2018 .
  8. ^ The EFF SSL Observatory - Electronic Frontier Foundation. In: eff.org. Retrieved February 15, 2016 .
  9. HTTPS Everywhere Atlas. In: eff.org. Retrieved February 15, 2016 .