Q&A Do i really need HTTPS Everywhere extension for chrome?

Discussion in 'Browsers and Extensions' started by ItsReallyMe, Dec 22, 2017.

  1. ItsReallyMe

    ItsReallyMe Level 2

    Dec 21, 2017
    56
    141
    Model
    Los Angeles
    Windows 10
    Emsisoft
    Do I really need HTTPS Everywhere extension for chrome as chrome will display a warning if the accessing site is not using HTTPS?
     
  2. Rengar

    Rengar Level 14

    Jan 6, 2017
    694
    4,414
    Greece
    Windows 8.1
    Avast
    Its a light extension, i dont see the reason why you should not have it.
     
    upnorth, Andytay70, Opcode and 5 others like this.
  3. Deletedmessiah

    Deletedmessiah Level 15

    Jan 16, 2017
    714
    6,571
    SSD
    Windows 8.1
    Emsisoft
    It breaks some websites.
     
  4. Paul Lee

    Paul Lee Level 9

    Oct 14, 2014
    407
    1,823
    Windows 10
    Simply put: No. It's not this magical extention that will solve all of the world's problems like some people make it out to be.
     
    Iapepe, gonzalo, GonzitoVir and 10 others like this.
  5. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,153
    16,396
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    If you don't want to use it don't. It really doesn't do anything revolutionary you can't miss.
     
    shmu26, mlnevese, Prorootect and 7 others like this.
  6. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,303
    Caille
    Windows 10
    HTTPS stands for Hypertext Transfer Protocol Secure. It is basically a secure variant of HTTP. When you're using HTTPS-enabled websites, you have an additional layer of encryption which is useful for... keeping confidential data better protected (e.g. when filing in payment-related forms for an online order) for one.

    For example. If your home network is breached and an attacker is sniffing the network, data being sent over HTTPS encryption will be in encrypted form in the logs the attacker receives. Could be handy especially for when using public, insecure networks (e.g. when out and about - if you happen to use a laptop not always on your own network). On that note, HTTPS interception is trickier for banking malware generally but that doesn't mean it stops malware authors because it really doesn't.

    It isn't a "must-have" in my opinion and it can break some websites as others have mentioned, but it can be beneficial if it works right for you. I remember it used to very popular and the popularity died down a bit but it is still a good extension. I once used it and liked it at the time, but I removed it a very long ago because I've not a need for it anymore.
     
    GonzitoVir, mlnevese, roger_m and 5 others like this.
  7. Spawn

    Spawn Administrator
    Staff Member Content Creator

    Jan 8, 2011
    16,256
    24,184
    Iapepe, upnorth, harlan4096 and 5 others like this.
  8. carsten ibsen

    carsten ibsen Level 20

    Sep 18, 2016
    980
    5,206
    retired
    denmark
    Windows 10
    Microsoft
    Hey, if you ask me(with my limited experience)then yes:).
     
    SHvFl, Andytay70 and Opcode like this.
  9. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,303
    Caille
    Windows 10
    By the way just as a general note, about the encrypted traffic between the browser and the target destination... Banking malware can actually intercept SSL and this technique is known as "WebInject". The older technique for banking malware is "form-grabbing", but that only covers HTTP communication, not HTTPS. SSL data will be decrypted by the browser client post-communication, and this is where banking malware can abuse this (exploit) to retrieve the decrypted SSL data via WebInject.

    Another would be messing with the certificates on the system... Some AVs do this, and it can open opportunity for a Man-In-The-Middle (MITM) attack

    So HTTPS is far from perfect, but it is still helpful I think :)
     
    mlnevese, roger_m, upnorth and 5 others like this.
  10. plat1098

    plat1098 Level 5

    Aug 23, 2017
    227
    1,333
    Brooklyn
    Windows 10
    Microsoft
  11. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,303
    Caille
    Windows 10
    100% agree, malware authors are becoming smarter and it isn't all that difficult for them to get hold of a HTTPS certificate. They can steal them from others (and have genuine ones revoked after exposure of having been stolen and used in malicious operations) or they can order one appearing as a genuine customer (or not - I guess some companies are awful with knowing the intentions or do less checks) for maybe 100 euros.

    Some website hosts (or "website builders") will give out free certificates to clients which pay a bit monthly/on an annual basis, which simplifies it for the malware author.

    Phishing malicious URLs are increasingly starting to use HTTPS a lot more because they know that the likelihood of trust from the target victim is increased when they see that green Secure label and the green pad-lock at the top left of the browser navigation bar, over an "Insecure" title or similar.
     
    mlnevese, roger_m, harlan4096 and 4 others like this.
  12. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,563
    3,798
    0wN3D by my cat!
    My shortened response: No.
     
    Deletedmessiah, Tsiehshi and Opcode like this.
  13. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    This is important and yes, it totally breaks some important sites. I use it on my personal machine, but rarely deploy it beyond that because I will almost assuredly get 'this site is broke' complaints.

    Necessary? No. Helpful? Sometimes. Problematic? Sometimes.
     
    Deletedmessiah, roger_m and Opcode like this.
  14. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    This is the best reply here.

    Malware is indeed using HTTPS more than ever before, increasing by the day. This is why modern gateway appliances are all going to be required to do SSL scanning. Deep inspection takes a locally installed RCA, but normal SSL inspection doesn't. For me, HTTPS Everywhere isn't required at all since I do SSL validation at the UTM level. My Fortigate Appliance does certification/inspection/validation of SSL and non-SSL traffic in realtime. However I find some use in HTTPS Everywhere for enforcement of SSL on sites that it can be enforced on.

    Certs are indeed cheap these days. Very cheap.
     
  15. DeepWeb

    DeepWeb Level 9

    Jul 1, 2017
    437
    1,415
    Nurse
    On a journey
    Windows 10
    Emsisoft
    Unfortunately yes. You would think Chrome would have integrated this by now but there are many sites that will still load HTTP by default without HTTPS Everywhere.
     
    Opcode likes this.
  16. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,303
    Caille
    Windows 10
    HTTPS for websites not designed for it (e.g. not with the manual certificate/changes to make it work) can cause problems. Which is why HTTPS Everywhere can cause breakages sometimes and likely why Google have not tried to make similar. But they do display bad certificate details in-browser and alert while blocking a load sometimes about certificates and safe connections.

    Google Chrome security actually helps a lot when I'm going hunting for malicious URLs in the analysis environment. All the time it'll be alerting about certificates or it's already in the DB.
     
    DeepWeb, mlnevese, frogboy and 2 others like this.
  17. NormanF

    NormanF Level 1

    Jan 11, 2018
    33
    41
    USA
    The main problem is SSL scanning can trash certificates leaving you unable to connect to sites and surf the Internet.

    I would leave things well enough alone and https already works for most sites without an extension. Is it needed? No.
     
    TerrakionSmash likes this.
  18. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    Agreed. Cert Scanning and Auth can break a LOT of things, even if it is done at the NGFW/Appliance level. We're seen Windows Updates get borked. Products like Signal Instant Messenger which uses a self-signed cert get blocked. A good amount of serious issues can result because you rely on across the board compliance from everyone and everyone isn't so you will quickly discover who isn't. Also, turning on DNSSEC will quickly show you who isn't compliant in that and you'll be turning it off in short order.
     
Loading...
Similar Threads Forum Date
Q&A Do I really need to use CCleaner? General Security Discussions Dec 21, 2017
SOLVED Really need help. Thankyou! Malware Removal Assistance For Windows May 24, 2017
Really Need Help for my Smartphone Malware Removal Assistance For Mobile Dec 14, 2016