Advice Request HTTPS Everywhere or Force HTTPS...or Neither?

Please provide comments and solutions that are helpful to the author of this topic.
A

always_forever

Level 1
Thread author
Jul 1, 2021
47
78
33
Does anyone in the community have any thoughts about installing HTTPS Everywhere or Force HTTPS extensions?

I know extensions are widely thought to add needless threat surface, but, for someone using Chrome, are either of these still worth considering? I've read that browsers are moving towards having such functionality natively and that many misunderstand exactly what HTTPS Everywhere does.

Any thoughts appreciated! I do see that Force HTTPS is less widely used but someone mentioned here as preferable...
 
  • Like
Reactions: [correlate], Venustus, Nevi and 2 others
always_forever said:
I've read that browsers are moving towards having such functionality natively and that many misunderstand exactly what HTTPS Everywhere does.
Click to expand...
Most browsers are not moving towards that, most already have it implemented. At least the most popular ones. Browsers like Firefox, Brave and Edge have it for months now and Chrome is following up soon as can be seen in the post of @silversurfer

Post: Updates - Chrome will soon try HTTPS first when you type an incomplete URL
 
  • Like
  • +Reputation
Reactions: SpiderWeb, [correlate], Venustus and 7 others
always_forever said:
Would you consider testing the experimental feature as referenced at the link above or would you wait until Q3 of this year as detailed at Changes to Chrome OS’s release cycle ...or maybe best to install HTTPS Everywhere until 94 is released?
Click to expand...
I don't see any problem in enabling the experimental feature as long as it doesn't break anything. But as @SecurityNightmares said, most websites already use HTTPS for years. I think HTTPS Everywhere is redundant, only increases attack surface, makes your browser fingerprint more unique and doesn't bring any noteworthy value either.
 
  • Like
  • +Reputation
Reactions: [correlate], plat, Venustus and 6 others
always_forever said:
Would you consider testing the experimental feature as referenced at the link above or would you wait until Q3 of this year as detailed at Changes to Chrome OS’s release cycle ...or maybe best to install HTTPS Everywhere until 94 is released?
Click to expand...
If you're using beta browser (not recommend), then you can enable that option.
Else just wait :)

SecureKongo has already explained everything else (y)

 
  • Like
  • +Reputation
Reactions: [correlate], Venustus, Nevi and 4 others
SecurityNightmares said:
Important sites use HTTPS already for years.
I don't see any reason using an extension for that.

If you care, just block HTTP JavaScript and you're done. Much more effective
Click to expand...
I like this idea a lot but I only see a "Don't allow sites to use Javascript" setting in Chrome unspecific to HTTP...Is that the setting you're referring to? I could just set it this way and manually enable Javascript when needed as well...
 
  • Like
Reactions: [correlate], Venustus, Nevi and 2 others
always_forever said:
I like this idea a lot but I only see a "Don't allow sites to use Javascript" setting in Chrome unspecific to HTTP...Is that the setting you're referring to? I could just set it this way and manually enable Javascript when needed as well...
Click to expand...
I can't speak for Chrome, but in Edge this is possible under website permissions:
1626291755457.png

Turning off JavaScript completely will break 99% sites and isn't recommend.
 
  • Like
  • +Reputation
Reactions: SpiderWeb, [correlate], Moonhorse and 9 others
SecurityNightmares said:
I can't speak for Chrome, but in Edge this is possible under website permissions:
View attachment 259664

Turning off JavaScript completely will break 99% sites and isn't recommend.
Click to expand...
For Chrome, someone in the Chrome web store suggested to disable javascript and then add https://* to follow the custom setting of "allowed to use javascript." This seems like a workaround but I'm not 100% sure yet and am testing.
 
Last edited:
  • Like
Reactions: [correlate], Venustus, Nevi and 1 other person
always_forever said:
For Chrome, someone in the Chrome web store suggested to disable javascript and then add https://* to follow the custom setting of "allowed to use javascript." This seems like a workaround but I'm not 100% sure yet and am testing.
Click to expand...
It's more secure to block HTTP content than allow all HTTPS content. You don't want circumstance browser mitigations because of wrong settings.
 
  • Like
Reactions: [correlate], Venustus, Nevi and 2 others
HTTPS Everywhere will go into End of life

www.eff.org

HTTPS Everywhere Now Uses DuckDuckGo’s Smarter Encryption

Over the last few months the HTTPS Everywhere project has been deciding what to do with the new landscape of HTTPS in major browsers. Encrypted web traffic has increased in the last few years and major browsers have made strides in seeing that HTTPS becomes the default. This project has...
www.eff.org www.eff.org
“Afterwards, this will start the HTTPS Everywhere web extension EoL (End of Life) stage, which will be determined later after completing the sunset of HTTPS Everywhere Rulesets. By adding the DuckDuckGo Smarter Encryption Update Channel we can give everyone time to adjust and plan.”
 
  • Like
  • +Reputation
  • Applause
Reactions: [correlate], ForgottenSeer 85179, plat and 6 others
ForgottenSeer 85179 said:
I can't speak for Chrome, but in Edge this is possible under website permissions:
View attachment 259664

Turning off JavaScript completely will break 99% sites and isn't recommend.
Click to expand...
I use the same simple rule in Chrome
bqg9yek.png


https://[*.]:443

Translate: Only allow Javascript on HTTPS sites using port 443
 
  • Like
Reactions: oldschool, silversurfer and harlan4096

You may also like...