Do i really need HTTPS Everywhere extension for Chrome?

Status
Not open for further replies.
D

Deleted member 65228

HTTPS stands for Hypertext Transfer Protocol Secure. It is basically a secure variant of HTTP. When you're using HTTPS-enabled websites, you have an additional layer of encryption which is useful for... keeping confidential data better protected (e.g. when filing in payment-related forms for an online order) for one.

For example. If your home network is breached and an attacker is sniffing the network, data being sent over HTTPS encryption will be in encrypted form in the logs the attacker receives. Could be handy especially for when using public, insecure networks (e.g. when out and about - if you happen to use a laptop not always on your own network). On that note, HTTPS interception is trickier for banking malware generally but that doesn't mean it stops malware authors because it really doesn't.

It isn't a "must-have" in my opinion and it can break some websites as others have mentioned, but it can be beneficial if it works right for you. I remember it used to very popular and the popularity died down a bit but it is still a good extension. I once used it and liked it at the time, but I removed it a very long ago because I've not a need for it anymore.
 
D

Deleted member 65228

By the way just as a general note, about the encrypted traffic between the browser and the target destination... Banking malware can actually intercept SSL and this technique is known as "WebInject". The older technique for banking malware is "form-grabbing", but that only covers HTTP communication, not HTTPS. SSL data will be decrypted by the browser client post-communication, and this is where banking malware can abuse this (exploit) to retrieve the decrypted SSL data via WebInject.

Another would be messing with the certificates on the system... Some AVs do this, and it can open opportunity for a Man-In-The-Middle (MITM) attack

So HTTPS is far from perfect, but it is still helpful I think :)
 
D

Deleted member 65228

malware is not forbidden from HTTPS
100% agree, malware authors are becoming smarter and it isn't all that difficult for them to get hold of a HTTPS certificate. They can steal them from others (and have genuine ones revoked after exposure of having been stolen and used in malicious operations) or they can order one appearing as a genuine customer (or not - I guess some companies are awful with knowing the intentions or do less checks) for maybe 100 euros.

Some website hosts (or "website builders") will give out free certificates to clients which pay a bit monthly/on an annual basis, which simplifies it for the malware author.

Phishing malicious URLs are increasingly starting to use HTTPS a lot more because they know that the likelihood of trust from the target victim is increased when they see that green Secure label and the green pad-lock at the top left of the browser navigation bar, over an "Insecure" title or similar.
 
F

ForgottenSeer 58943

By the way just as a general note, about the encrypted traffic between the browser and the target destination... Banking malware can actually intercept SSL and this technique is known as "WebInject". The older technique for banking malware is "form-grabbing", but that only covers HTTP communication, not HTTPS. SSL data will be decrypted by the browser client post-communication, and this is where banking malware can abuse this (exploit) to retrieve the decrypted SSL data via WebInject.

Another would be messing with the certificates on the system... Some AVs do this, and it can open opportunity for a Man-In-The-Middle (MITM) attack

So HTTPS is far from perfect, but it is still helpful I think :)

This is the best reply here.

Malware is indeed using HTTPS more than ever before, increasing by the day. This is why modern gateway appliances are all going to be required to do SSL scanning. Deep inspection takes a locally installed RCA, but normal SSL inspection doesn't. For me, HTTPS Everywhere isn't required at all since I do SSL validation at the UTM level. My Fortigate Appliance does certification/inspection/validation of SSL and non-SSL traffic in realtime. However I find some use in HTTPS Everywhere for enforcement of SSL on sites that it can be enforced on.

Certs are indeed cheap these days. Very cheap.
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Unfortunately yes. You would think Chrome would have integrated this by now but there are many sites that will still load HTTP by default without HTTPS Everywhere.
 
D

Deleted member 65228

Unfortunately yes. You would think Chrome would have integrated this by now but there are many sites that will still load HTTP by default without HTTPS Everywhere.
HTTPS for websites not designed for it (e.g. not with the manual certificate/changes to make it work) can cause problems. Which is why HTTPS Everywhere can cause breakages sometimes and likely why Google have not tried to make similar. But they do display bad certificate details in-browser and alert while blocking a load sometimes about certificates and safe connections.

Google Chrome security actually helps a lot when I'm going hunting for malicious URLs in the analysis environment. All the time it'll be alerting about certificates or it's already in the DB.
 

NormanF

Level 7
Verified
Jan 11, 2018
343
The main problem is SSL scanning can trash certificates leaving you unable to connect to sites and surf the Internet.

I would leave things well enough alone and https already works for most sites without an extension. Is it needed? No.
 
  • Like
Reactions: Handsome Recluse
F

ForgottenSeer 58943

The main problem is SSL scanning can trash certificates leaving you unable to connect to sites and surf the Internet.

I would leave things well enough alone and https already works for most sites without an extension. Is it needed? No.

Agreed. Cert Scanning and Auth can break a LOT of things, even if it is done at the NGFW/Appliance level. We're seen Windows Updates get borked. Products like Signal Instant Messenger which uses a self-signed cert get blocked. A good amount of serious issues can result because you rely on across the board compliance from everyone and everyone isn't so you will quickly discover who isn't. Also, turning on DNSSEC will quickly show you who isn't compliant in that and you'll be turning it off in short order.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
If I recall correctly, Chrome plans to warn about webpages not using https (2019-2020). Something like this:
 

Attachments

  • capture_11252018_131248.jpg
    capture_11252018_131248.jpg
    81.2 KB · Views: 479
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top