Q&A Do i really need HTTPS Everywhere extension for chrome?

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
#6
HTTPS stands for Hypertext Transfer Protocol Secure. It is basically a secure variant of HTTP. When you're using HTTPS-enabled websites, you have an additional layer of encryption which is useful for... keeping confidential data better protected (e.g. when filing in payment-related forms for an online order) for one.

For example. If your home network is breached and an attacker is sniffing the network, data being sent over HTTPS encryption will be in encrypted form in the logs the attacker receives. Could be handy especially for when using public, insecure networks (e.g. when out and about - if you happen to use a laptop not always on your own network). On that note, HTTPS interception is trickier for banking malware generally but that doesn't mean it stops malware authors because it really doesn't.

It isn't a "must-have" in my opinion and it can break some websites as others have mentioned, but it can be beneficial if it works right for you. I remember it used to very popular and the popularity died down a bit but it is still a good extension. I once used it and liked it at the time, but I removed it a very long ago because I've not a need for it anymore.
 

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
#9
By the way just as a general note, about the encrypted traffic between the browser and the target destination... Banking malware can actually intercept SSL and this technique is known as "WebInject". The older technique for banking malware is "form-grabbing", but that only covers HTTP communication, not HTTPS. SSL data will be decrypted by the browser client post-communication, and this is where banking malware can abuse this (exploit) to retrieve the decrypted SSL data via WebInject.

Another would be messing with the certificates on the system... Some AVs do this, and it can open opportunity for a Man-In-The-Middle (MITM) attack

So HTTPS is far from perfect, but it is still helpful I think :)
 

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
#11
malware is not forbidden from HTTPS
100% agree, malware authors are becoming smarter and it isn't all that difficult for them to get hold of a HTTPS certificate. They can steal them from others (and have genuine ones revoked after exposure of having been stolen and used in malicious operations) or they can order one appearing as a genuine customer (or not - I guess some companies are awful with knowing the intentions or do less checks) for maybe 100 euros.

Some website hosts (or "website builders") will give out free certificates to clients which pay a bit monthly/on an annual basis, which simplifies it for the malware author.

Phishing malicious URLs are increasingly starting to use HTTPS a lot more because they know that the likelihood of trust from the target victim is increased when they see that green Secure label and the green pad-lock at the top left of the browser navigation bar, over an "Insecure" title or similar.
 

Slyguy

Level 31
Joined
Jan 27, 2017
Messages
2,094
OS
Other OS
#14
By the way just as a general note, about the encrypted traffic between the browser and the target destination... Banking malware can actually intercept SSL and this technique is known as "WebInject". The older technique for banking malware is "form-grabbing", but that only covers HTTP communication, not HTTPS. SSL data will be decrypted by the browser client post-communication, and this is where banking malware can abuse this (exploit) to retrieve the decrypted SSL data via WebInject.

Another would be messing with the certificates on the system... Some AVs do this, and it can open opportunity for a Man-In-The-Middle (MITM) attack

So HTTPS is far from perfect, but it is still helpful I think :)
This is the best reply here.

Malware is indeed using HTTPS more than ever before, increasing by the day. This is why modern gateway appliances are all going to be required to do SSL scanning. Deep inspection takes a locally installed RCA, but normal SSL inspection doesn't. For me, HTTPS Everywhere isn't required at all since I do SSL validation at the UTM level. My Fortigate Appliance does certification/inspection/validation of SSL and non-SSL traffic in realtime. However I find some use in HTTPS Everywhere for enforcement of SSL on sites that it can be enforced on.

Certs are indeed cheap these days. Very cheap.
 

DeepWeb

Level 12
Joined
Jul 1, 2017
Messages
593
OS
Windows 10
Antivirus
Emsisoft
#15
Unfortunately yes. You would think Chrome would have integrated this by now but there are many sites that will still load HTTP by default without HTTPS Everywhere.
 
Likes: Opcode

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
#16
Unfortunately yes. You would think Chrome would have integrated this by now but there are many sites that will still load HTTP by default without HTTPS Everywhere.
HTTPS for websites not designed for it (e.g. not with the manual certificate/changes to make it work) can cause problems. Which is why HTTPS Everywhere can cause breakages sometimes and likely why Google have not tried to make similar. But they do display bad certificate details in-browser and alert while blocking a load sometimes about certificates and safe connections.

Google Chrome security actually helps a lot when I'm going hunting for malicious URLs in the analysis environment. All the time it'll be alerting about certificates or it's already in the DB.
 
Joined
Jan 11, 2018
Messages
33
#17
The main problem is SSL scanning can trash certificates leaving you unable to connect to sites and surf the Internet.

I would leave things well enough alone and https already works for most sites without an extension. Is it needed? No.
 

Slyguy

Level 31
Joined
Jan 27, 2017
Messages
2,094
OS
Other OS
#18
The main problem is SSL scanning can trash certificates leaving you unable to connect to sites and surf the Internet.

I would leave things well enough alone and https already works for most sites without an extension. Is it needed? No.
Agreed. Cert Scanning and Auth can break a LOT of things, even if it is done at the NGFW/Appliance level. We're seen Windows Updates get borked. Products like Signal Instant Messenger which uses a self-signed cert get blocked. A good amount of serious issues can result because you rely on across the board compliance from everyone and everyone isn't so you will quickly discover who isn't. Also, turning on DNSSEC will quickly show you who isn't compliant in that and you'll be turning it off in short order.