Google+

Webmail

James's Blog

IT Hints, tips, tricks, and ramblings.

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login

Improve your internet browsing security with HTTPS Everywhere

Posted by on in Tech tips and thoughts
  • Font size: Larger Smaller
  • Hits: 1833
Firstly, what is HTTPS?

When you are performing general internet browsing, you're usually going to be using HTTP. "http://www.google.com" for example. HTTP is not secure, as all data is sent in plain text. This makes eavesdropping and "man-in-the-middle" attacks a piece of cake. HTTPS is a secure alternative to HTTP (Yes, the S stands for Secure). You've probably noticed when logging into services such as internet banking, the link in the address bar tends to start with "https://". If you happen to use free/public WiFi hotspots, HTTPS usage is something you should be concerned about, as without it, all of your data such as usernames, passwords, search terms etc, are being sent out in plain text.

A piece of info that you may not know, is that lots of websites do actually support HTTPS as an option, but your browser will not use HTTPS by default. This is where HTTPS Everywhere steps in.

HTTPS Everywhere is a browser addon for Mozilla Firefox and/or Google Chrome, that forces your browser to use HTTPS instead of HTTP when it is available. The plugin currently has ~3000 supported websites predefined into it. This helps to keep your data from falling into the wrong hands.

Two noteworthy questions and answers from the official plugin website - https://www.eff.org/https-everywhere/faq

Q. When does HTTPS Everywhere protect me? When does it not protect me?

A. HTTPS Everywhere protects you only when you are using encrypted portions of supported web sites. On a supported site, it will automatically activate HTTPS encryption for all known supported parts of the site (for some sites, this might be only a portion of the entire site). For example, if your web mail provider does not support HTTPS at all, HTTPS Everywhere can't make your access to your web mail secure. Similarly, if a site (like the New York Times website) allows HTTPS for text but not images, someone might be able to see which images your browser loads and guess what you're accessing.

HTTPS Everywhere depends entirely on the security features of the individual web sites that you use; it activates those security features, but it can't create them if they don't already exist. If you use a site not supported by HTTPS Everywhere or a site that provides some information in an insecure way, HTTPS Everywhere can't provide additional protection for your use of that site. Please remember to check that a particular site's security is working to the level you expect before sending or receiving confidential information, including passwords.

Q. What does HTTPS Everywhere protect me against?

A. On supported parts of supported sites, HTTPS Everywhere enables the sites' HTTPS protection which can protect you against eavesdropping and tampering with the contents of the site or with the information you send to the site. Ideally, this provides some protection against an attacker learning the content of the information flowing in each direction — for instance, the text of e-mail messages you send or receive through a webmail site, the products you browse or purchase on an e-commerce site, or the particular articles you read on a reference site.

However, HTTPS Everywhere does not conceal the identities of the sites you access, the amount of time you spend using them, or the amount of information you upload or download from a particular site. For example, if you access http://www.eff.org/issues/nsa-spying and HTTPS Everywhere rewrites it to https://www.eff.org/issues/nsa-spying, an eavesdropper can still trivially recognize that you are accessing www.eff.org (but might not know which issue you are reading about). In general, the entire hostname part of the URL remains exposed to the eavesdropper because this must be sent repeatedly in unencrypted form while setting up the connection. Another way of saying this is that HTTPS was never designed to conceal the identity of the sites that you visit.

You can download HTTPS Everywhere from here - https://www.eff.org/https-everywhere/
Last modified on
James has not set their biography yet