Is "HTTPS Everywhere" still relevant?

Question

HTTPS Everywhere is a browser extension, a collaboration between The Tor Project and the Electronic Frontier Foundation, that automates rewriting requests for HTTP URLs to the secure HTTPS alternative if available. It's apparently been around for roughly a decade but was never on my radar until someone recently asked about it. Trying to research it has produced a mixed bag of information.

1. Regardless of need, it isn't clear how useful it is "out-of-the-box". Various articles refer to the need to supplement defaults with whitelists and rules to get the full benefits. So implementing it appears to not be a trivial task.

2. At least at one time, a substantial portion of web sites were HTTP-only, so using such software could provide only limited benefit. It appears that sites dealing with sensitive personal data have pretty much moved to HTTPS-only. Google implemented various measures to incentivize web sites to convert to HTTPS. It isn't clear how big of a problem HTTP still is (or if it still is, whether the problem is quickly disappearing).

   It also isn't clear whether sites converting to HTTPS are retaining the HTTP links just for legacy visitors, and automatically redirecting to their HTTPS site.

3. The major browsers appear to all have either incorporated logic to prefer HTTPS sites when available, or are well into the process of implementing it. At least Google (haven't seen anything about other search engines), has a program by the same name (not clear if it is actually the same product), to automatically attempt an HTTPS connection on searches.

4. Three years ago or so, there were articles about "why you need to install HTTPS Everywhere". A number of more recent articles have suggested that people should stop suggesting that people install this software. The gist seems to relate to browsers already duplicating the functionality.

So it isn't clear whether HTTP is still a substantive problem needing a solution, and if so, whether software that tries HTTPS links first can solve what's left of it. Has this whole issue been overtaken by events?

I'm looking for context rather than opinion (i.e., the facts describing the current situation rather than opinion about how good or bad it is, or whether I need the software). For example, do the major browsers now provide the remedy that HTTPS Everywhere was developed for? Is HTTP now virtually limited to sites where there's no personal data? Is there government or industry regulation that is intended to render this a non-issue? In other words, the kinds of objective information that will allow me (and others) to understand the current state of affairs in order to form my own opinion and determine relevance for myself.

Answer 1

HTTPS Everywhere certainly used to be more necessary during the days of mixed content and half-hearted website configurations. The web is certainly more mature nowadays, with technologies like HSTS which can be used by any site, and public key pinning for the bigger players (now deprecated in favor of Certificate Transparency - thanks to Justin for informing me).

So, whether the extension is useful depends heavily on your individual use case. Making custom rules for websites that serve both HTTP and HTTPS is something the extension excels at, and I'm not aware of any others that do a similar job. Even in situations where a website doesn't support HTTPS, the extension will ensure that any references to third-party domains such as CDNs will be upgraded to HTTPS, even if the original reference was protocol-neutral.

Answer 2

Speaking as a previous ruleset contributor to HTTPS Everywhere, I have the following to offer.

• The HTTPS Everywhere project periodically tests all of their rewriting rules and disables those which fail for any reason. This ensures a relatively quick response to changing website configurations, but can lead to a significant portion of the rulesets being disabled unless significant maintenance effort is expended. Suggestions that the central rulesets should be supplemented mainly arise from ignorance that these central rulesets can and should be corrected. It's a matter of volunteer availability.

• Significant progress has been made in moving the web to HTTPS-only, but many sites are still misconfigured and many more have not implemented the crucial HSTS preload protection needed to prevent first-connection attacks. Sites which implement this protection are shortly thereafter removed from HTTPS Everywhere's rulesets.

• Web browser technology is very useful, but anything they do beyond the HSTS preload list is only nice to have. HTTPS Everywhere provides a stopgap for sites which have not enabled HSTS through the browser and essentially need a custom community-maintained HSTS configuration.

In summary, it doesn't harm to keep it installed. Bear with it for a few more years and hopefully all this will become redundant.

Answer 3

While improved awareness of HTTPS and HSTS have certainly brought security standards forward, there is still use for the HTTPS Everywhere extension:

HSTS is great at protecting against HTTP downgrade attacks but one thing to notice is that it is based on a trust on first use model. This means your first connection to the site must be through HTTPS or else the HSTS protection can be compromised (for example a HTTP to HTTPS 301 redirect is a window of opportunity for an attack).

HSTS normally protects against this with the HTST preload list, a list of domains built into the browser which forces the first connection to use only HTTPS for those sites. However getting onto the list (and waiting for the change to be applied in browsers) takes some time and not every site bothers to register itself. This is where the browser extension helps out by ensuring all first connections are through HTTPS only.

Another smaller case is when the website's HTTPS is located on a different path from the usual. For example a website might have http://www.example while having their secure site on https://secure.example. HTTPS Everywhere keeps a database of domains to ensure you are going to the correct URL for HTTPS.

Footnote: public key pinning also helps, but even Chrome decided to remove it for low adoption rates and the potential for being a foot-gun.

Answer 4

I have noticed there are still a couple of websites around which have https support but do not redirect http traffic to https. The extension isn't nearly as useful as it used to be however. A few years back websites like youtube, wikipedia and reddit had https support but defaulted to http. HTTPS everywhere solved that and is still solving the problem for the small handful of websites that still default to http but have https support.

Answer 5

This will certainly come over as controversial, but nevertheless it's how I see it...

There is a bit of a misunderstanding in the necessity of HTTPS which was most probably spread deliberately. Like with every half-truth, there is some truth in the arguments, but also a whole lot of lies.

HTTPS (or TLS) does have some very useful and desirable properties (authentication and confidentiality) which are absolutely mandatory for some (think banking), and arguably necessary for quite a few, maybe the majority of, services. Anything that contains personal identification data, basically.
That being the case, there are many things for which HTTPS is utterly unnecessary, and on the other hand, HTTPS used improperly, i.e. with mixed content, can be pretty insecure (almost like no HTTPS), which was the justification for HTTPS everywhere in the first place. And yes, in the light of some sites back in the days that indeed offered a mandatory HTTPS kind of service with mixed content, it certainly did have some merit.

That, and then there's of course a good amount of paranoia that some people have and that is being actively promoted, about the whole world actually being interested in every little, unimportant thing in the unimportant little lives of everybody. Sure enough, after posting everything you've done today (with photos and geotag!) on Instagram where literally the whole world can read it, good job at having done so securely, via an encrypted channel. Also, it's important that nobody finds out about what you do on the internet in general. That, and there's this conspiracy where they alter news articles and feed you with false information to, uh... I don't know what for (actually, there is some truth in that, too, because that is just what e.g. Google does -- only at a different level, what's being changed is not the actual contents, but which content you're being shown at all, but that's irrespective of HTTPS being used). The silver bullet HTTPS prevents all these bad things! So clearly, everything needs to be HTTPS/TLS.

Regardless, even when used properly, HTTPS still fails to provide the service that you wish. For one reason, the entire chain of certificates works on the assumption that you can "trust" someone (say, Comodo) who makes money from selling certificates, without actually having a reason to trust them. And then, not just governments but also large enterprises (and schools, and antivirus, and who knows who else...) actively subvert the certificate chain by installing root certificates for the only purpose of, well, effectively breaking the system.
So, no, communications are not guaranteed to be confidential, and no, they are not authenticated in a reliable way. Not as much as you would think, anyway. Using your employer's laptop? Using your kid's computer? Lost cause. Antivirus installed on your computer? All bets are open.
But at least you know that a site is safe, the green thingie on your browser tells you so, and it warns about risky sites. Right, everybody can get a non-green certificate for free (avoiding the scary warning), and a green-badge certificate for very little money. It has absolutely no meaning.
I seriously hope you have TLS enabled for accessing your gmail account, too. Because, you know, that makes it secure, you don't want someone on the wire to read your mails, do you. Sure enough, Google will not read your entirely unencrypted mails while they are stored on their server. Sure enough, being a US company, they will not provide the contents to a particular governmental organization.

Now the real reason why you must have HTTPS everywhere is that companies like Google, Microsoft, or Amazon, and with them all providers who sell bandwidth, want that.

They do not want everybody and their grandmother to set up a credit-card computer as a transparent web proxy which not only reduces your bandwidth consumption by caching resources, but also filters out their advertizing and tracking stuff. Sure, you can always add a browser plugin which does the same thing. Except, you must maintain it on every computer that you have in your house, and on some (Fire TV) it is outright impossible without rendering the device unusable, or you must root it (think Android phone) which also isn't necessarily destruction-free (thank you so much for Samsung Knox, so awesome).
Luckily, you can just cut the crap globally, for all devices within your network by having a transparent proxy right behind your cable/dsl modem, which costs you 20€ and 3 mins setup. Oh heck, what a catastrophe! You are to download exactly the version they want (including "personalization"), and when they want it, including all beacons and whatnot. So that is the true reason why you need HTTPS everywhere.

Ironically, the companies that promoted HTTPS and emphasized how e.g. TLS not only hides the actual content, but also the exact URL that you clicked on (like http://somesite.com/dirty_porn_pic.jpg) and such... in reality they are exactly the ones who go to any length to fingerprint your system, identify you, keep an infinite history, track every single click you do, and collect every possible piece of information including where you go and when, and your heartbeat. Or, the contents of any file on your computer. Ever wondered how Amazon does it so they incidentially recommend XYZ on your PC after you searched Google for XYZ on your phone five mins earlier? Different company, different device, one supposedly cannot possibly know both devices are owned by the same person. I did in fact wonder how it's done, since in my understanding, whatever they need to do to achieve that certainly is not compliant with the law (in the EU at least). But apparently, that's not a hindrance.

HTTPS actually helps in doing all these borderline-legitimate things, both by providing a false sense of security, by obscuring what is being sent, and by no longer making people ask: "Hey, what's that encrypted traffic coming from my device anyway!?". Because, you know, all traffic should be encrypted, that's a good thing. Encrypted stuff is not suspicious, it's probably harmless. Nobody is hiding something.

Answer 6

I always thought HTTPS Everywhere was developed to prevent SSL-strip attacks, but maybe this is only a side effect. SSL-strip is still a problem though and with HTTPS Everywhere you can prevent it.

If an attacker can trick the user into using HTTP for the first request, (s)he can intercept the communication, use HTTPS to contact the server, modify the response and return it to the user. It is e.g. possible to modify all links in the result so they do not use SSL anymore, or they can be rewritten to contact an HTTPS url which is under control of the attacker.

This is where HTTPS-everywhere jumps in, this first HTTP request would be executed as HTTPS, so an attacker has no chance to intercept the traffic.

Answer 7

As of 2021 Aug Firefox has baked it into their browser and Chrome will have it in the next few months. In firefox you need to go into its preferences to activate it (its off by default).

So you no longer need this extension.

But you should probably look into extensions like

ublock origin and

trace

for better protection.