Use EFF's Firefox Add-on To Encrypt Your Web Browsing

EFF and the Tor Project offer security and enhanced privacy with this Firefox add-on. If you use Firefox, you should download the plug-in immediately.

HTTPS Everywhere is a Firefox extension recently released as a public beta by the ever-diligent EFF and the Tor Project. The add-on encrypts your web communication with several major websites that support HTTPS connection, but that may not normally default to an encrypted page. HTTPS Everywhere is great news that can provide enhanced security and privacy for individuals who use it. Get it now.

The Firefox add-on was inspired by the launch of Google's encrypted search option. By default, Google search is unencrypted unless you type HTTPS before your query. After installing the Firefox HTTPS Everywhere plug-in, Google search will load automatically with HTTPS. Keep in mind that using encryption for your searches does not stop Google from logging your queries; a government or civil litigant could still obtain your search records from Google.

An unencrypted site which has a URL that begins with "http://" will use port 80 by default, but URLs that start with "https://" use port 443 by default. HTTPS is often used to secure a connection over an insecure network like the Internet. Applications that use sensitive information, such as banking or other payment transactions, need to encrypt data to ensure data integrity and confidentiality as well as to prevent data tampering. SSL (Secure Socket Layer) and TLS (Transport Layer Security) are cryptogaphically secure and provide reasonable protection from eavesdropping and man-in-the-middle attacks. Note, however, that HTTPS can be exploited and does not provide 100% guaranteed protection.

Many websites offer some limited support for encryption over HTTPS. The problem arises when the site defaults to an unencrypted page or when a secure page has links that return you to the unencrypted site. This is where the HTTPS Everywhere extension really helps to protect you. The Firefox plug-in rewrites all requests to HTTPS to fix the vulnerability caused by jumping between HTTP to HTTPS.

Keep in mind, however, that some sites contain content from third party domains that are not available over HTTPS. Vulnerabilities remain to hacking attacks, various forms of eavesdropping, or traffic analysis if the Firefox browser lock icon in the bottom-right corner is broken or if it carries an exclamation mark. Using HTTPS Everywhere will make the effort to monitor your browsing significantly more difficult.

Encrypting your connection via HTTPS is beneficial for everyone whether people use public Wi-Fi hotspots or not.

Installing the add-on will connect you securely and automatically to the following sites: DuckDuckGo, EFF, Facebook, Google Search, Google Services, Identica, Ixquick, Mozilla, NYTimes, PayPal, Scroogle, Torproject, Twitter, The Washington Post, Wikipedia, GentooBugzilla and Noisebridge.

Rulesets can be written for the HTTPS Everywhere Firefox plug-in to switch sites over from HTTP to HTTPS automatically. These rulesets are xml files in which the "from" and "to" clauses are JavaScript expressions, ranging from very simple to defining the rules in a slightly more complicated way. Additionally, matchrules or exclusions to domains which do not support HTTPS can be written into rulesets. To test after writing rulesets, place it in the HTTPSEverywhereUserRules/ subdirectory in your Firefox profile directory and then restart Firefox. Test to check your ruleset for any issues with the way the site supports HTTPS, indicated by messages in the Firefox Error.

To learn more about creating xml files to be used as HTTPS Everywhere rulesets, visit the EFF.

I wish Microsoft's IE had an add-on to encrypt...

Check out these other posts from Microsoft Subnet

Like RSS? Subscribe to all Microsoft Subnet bloggers. Like e-mail? Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.) Like Twitter? Follow All Microsoft Subnet bloggers on Twitter

Copyright © 2010 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline