10 Years of HTTPS Everywhere

Fight Censorship, Share This Post!

It’s been 10 years since the beta release of EFF’s HTTPS Everywhere web browser extension. It encrypts your communications with websites, making your browsing more secure. HTTPS has journeyed it’s way from an urgent recommendation to a main component of traffic of our everyday web experience. In 2018, we discussed the importance of HTTPS Everywhere and our ongoing effort to encrypt the web. We have come far and still have more work to do. This post gives a snapshot into the landscape of HTTPS Everywhere today.

HTTPS Everywhere and Friends

Since the launch of HTTPS Everywhere, other projects have also taken on the task of helping users browse securely. These more recent projects include DuckDuckGo’s Smarter Encryption and Smart HTTPS. The biggest difference is that HTTPS Everywhere still operates a community-curated list of rules for particular sites. Many users who add to our list have intimate knowledge of the sites they are contributing. Examples of such reports include subdomains of a site that have misconfigurations, insecure cookies, or CDN buckets to account for.

Many users wanted dynamic upgrades to HTTPS, so we developed the Encrypt All Sites Eligible (E.A.S.E) mode in HTTPS Everywhere.

EASE Mode being turned on in HTTPS Everywhere MenuEASE automatically attempts to upgrade connections from insecure HTTP to secure HTTPS for all sites, and prevents unencrypted connections from being made. This parallels the features of the more recent projects listed. EASE mode also assists in preventing downgrade attacks, where malicious actors attempt to redirect your browser to an insecure HTTP connection to the site. This is handled slightly differently by other projects, but we want to emphasize that our rulesets also apply to sub resources on the page as well. Meaning, if there are images and scripts that link to another domain, such as a Content Delivery Network (CDN), our rules can apply to those as well. We are not only adding rulesets, but amending them as websites change. HTTPS Everywhere’s maintainers and contributors have done a fantastic job over the years maintaining this aspect of the project.

HTTPS Everywhere and DNS over HTTPS (DoH)

A common question is whether HTTPS Everywhere is still helpful if “DNS over HTTPS” (DoH) is enabled? Absolutely. The Domain Name System (DNS) looks up a site’s IP address when you type the site’s name into your browser. A DNS request occurs before the site’s server connection is made; DoH occurs at this layer. After the DNS request has been made, the connection to the site’s server is next. That is where HTTPS Everywhere comes in: it is able to secure your traffic to the requested site.

DNS request = request for I.P. site’s address

HTTP request = request communication with site’s server/website content

DoH & HTTPS = encrypted request for site’s I.P. & encrypted request with site’s server/website content respectively
Plain DNS exposing request, DNS over HTTPS concealing request

Progress in the Browsers

Many browsers have made important strides in adopting HTTPS at a more aggressive rate. For example:

  • Some browsers further block mixed content, that is, page resources that aren’t encrypted (HTTP).
  • Some browsers now deploy and support Transport Layer Security (TLS) 1.3, the latest version of the protocol that is supported in HTTPS. 
  • Some browsers visually indicate to users whether a site is secure or insecure.
  • Chrome blocks HTTP third party cookies and Firefox completely allows blocking third party cookies through their “enhanced tracking protection
  • DNS over HTTPS (DoH) is available in both Chrome and Firefox
  • Firefox Nightly quietly deployed an HTTPS Only Mode (go to about:preferences#privacy in the browser’s URL).

Firefox HTTP Only Mode warning

We hope to see these developments, especially the option to be HTTPS by default, in both Firefox and Chrome.

In the coming decade, we hope browsers will further help to encrypt the web. It’s time for browsers to close these remaining gaps and give users the choice to upgrade to HTTPS. We hope our HTTPS Everywhere project will eventually not be needed in its current state, because the browsers themselves will close these gaps. This will take a strong commitment by all major browsers to provide comprehensive HTTPS options for their users.

HTTPS Everywhere Innovation

In addition to encrypting your web traffic, HTTPS Everywhere also provides extended features that have made way for some exciting developments in internet privacy. 

Human Readable Onions

Our update channels provide a secure way for other parties to load their own rulesets. For example, SecureDrop partnered with Tor to use HTTPS Everywhere Update channels to have human-readable onions in Tor Browser! As SecureDrop explains:

“SecureDrop uses onion services—accessible only via the Tor network—to protect sources sending tips to news organizations. When you visit an onion service (address ends with “.onion”), all traffic to and from the service is encrypted and anonymized.”

We are excited to be able to provide a platform for easily shared AND secure tips to newsrooms. A very big hat tip to SecureDrop and Tor Browser.

Rust + Web Assembly

HTTPS Everywhere’s ruleset rewrites are very useful, but can be memory heavy in comparison to most extensions. To alleviate this, we have a ruleset redirect engine written in Rust that compiles to Web Assembly. If Web Assembly isn’t supported, then Javascript is the fallback for rewrites. We picked Rust because it is a memory safe language that is lightweight and manageable. Also, one need not rewrite existing parts of the code base in order to take part in more modern developments of web applications.

Learn more about Rust + Web Assembly: https://rustwasm.github.io/docs/book/introduction.html

HTTP Everywhere 2030 – Archived

This project and it’s extended features were created to make privacy and security not only accessible but easily obtainable to everyone. Anonymity and privacy on the web shouldn’t be limited to people with highly technical knowledge. Hopefully when we write an update a decade from now, HTTPS Everywhere will be retired, because its encryption safeguards will have been fully integrated as a common feature of “the net”.

Thank you for using HTTPS Everywhere. If you haven’t installed it, do so today!


Fight Censorship, Share This Post!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.