Q&A HTTPS Everywhere or Force HTTPS...or Neither?

always_forever

Level 1
Jul 1, 2021
26
Does anyone in the community have any thoughts about installing HTTPS Everywhere or Force HTTPS extensions?

I know extensions are widely thought to add needless threat surface, but, for someone using Chrome, are either of these still worth considering? I've read that browsers are moving towards having such functionality natively and that many misunderstand exactly what HTTPS Everywhere does.

Any thoughts appreciated! I do see that Force HTTPS is less widely used but someone mentioned here as preferable...
 

SecureKongo

Level 22
Verified
Feb 25, 2017
1,164
I've read that browsers are moving towards having such functionality natively and that many misunderstand exactly what HTTPS Everywhere does.
Most browsers are not moving towards that, most already have it implemented. At least the most popular ones. Browsers like Firefox, Brave and Edge have it for months now and Chrome is following up soon as can be seen in the post of @silversurfer

Post: Updates - Chrome will soon try HTTPS first when you type an incomplete URL
 

SecureKongo

Level 22
Verified
Feb 25, 2017
1,164
Would you consider testing the experimental feature as referenced at the link above or would you wait until Q3 of this year as detailed at Changes to Chrome OS’s release cycle ...or maybe best to install HTTPS Everywhere until 94 is released?
I don't see any problem in enabling the experimental feature as long as it doesn't break anything. But as @SecurityNightmares said, most websites already use HTTPS for years. I think HTTPS Everywhere is redundant, only increases attack surface, makes your browser fingerprint more unique and doesn't bring any noteworthy value either.
 
F

ForgottenSeer 85179

Would you consider testing the experimental feature as referenced at the link above or would you wait until Q3 of this year as detailed at Changes to Chrome OS’s release cycle ...or maybe best to install HTTPS Everywhere until 94 is released?
If you're using beta browser (not recommend), then you can enable that option.
Else just wait :)

SecureKongo has already explained everything else (y)

 

always_forever

Level 1
Jul 1, 2021
26
Important sites use HTTPS already for years.
I don't see any reason using an extension for that.

If you care, just block HTTP JavaScript and you're done. Much more effective
I like this idea a lot but I only see a "Don't allow sites to use Javascript" setting in Chrome unspecific to HTTP...Is that the setting you're referring to? I could just set it this way and manually enable Javascript when needed as well...
 
F

ForgottenSeer 85179

I like this idea a lot but I only see a "Don't allow sites to use Javascript" setting in Chrome unspecific to HTTP...Is that the setting you're referring to? I could just set it this way and manually enable Javascript when needed as well...
I can't speak for Chrome, but in Edge this is possible under website permissions:
1626291755457.png

Turning off JavaScript completely will break 99% sites and isn't recommend.
 

always_forever

Level 1
Jul 1, 2021
26
I can't speak for Chrome, but in Edge this is possible under website permissions:
View attachment 259664

Turning off JavaScript completely will break 99% sites and isn't recommend.
For Chrome, someone in the Chrome web store suggested to disable javascript and then add https://* to follow the custom setting of "allowed to use javascript." This seems like a workaround but I'm not 100% sure yet and am testing.
 
Last edited:
F

ForgottenSeer 85179

For Chrome, someone in the Chrome web store suggested to disable javascript and then add https://* to follow the custom setting of "allowed to use javascript." This seems like a workaround but I'm not 100% sure yet and am testing.
It's more secure to block HTTP content than allow all HTTPS content. You don't want circumstance browser mitigations because of wrong settings.
 

Azure

Level 26
Verified
Content Creator
Oct 23, 2014
1,560
HTTPS Everywhere will go into End of life

“Afterwards, this will start the HTTPS Everywhere web extension EoL (End of Life) stage, which will be determined later after completing the sunset of HTTPS Everywhere Rulesets. By adding the DuckDuckGo Smarter Encryption Update Channel we can give everyone time to adjust and plan.”
 
Top