Advice Request HTTPS Everywhere or Force HTTPS...or Neither?

Please provide comments and solutions that are helpful to the author of this topic.

always_forever

Level 1
Thread author
Jul 1, 2021
47
Does anyone in the community have any thoughts about installing HTTPS Everywhere or Force HTTPS extensions?

I know extensions are widely thought to add needless threat surface, but, for someone using Chrome, are either of these still worth considering? I've read that browsers are moving towards having such functionality natively and that many misunderstand exactly what HTTPS Everywhere does.

Any thoughts appreciated! I do see that Force HTTPS is less widely used but someone mentioned here as preferable...
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,481
I've read that browsers are moving towards having such functionality natively and that many misunderstand exactly what HTTPS Everywhere does.
Most browsers are not moving towards that, most already have it implemented. At least the most popular ones. Browsers like Firefox, Brave and Edge have it for months now and Chrome is following up soon as can be seen in the post of @silversurfer

Post: Updates - Chrome will soon try HTTPS first when you type an incomplete URL
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,481
Would you consider testing the experimental feature as referenced at the link above or would you wait until Q3 of this year as detailed at Changes to Chrome OS’s release cycle ...or maybe best to install HTTPS Everywhere until 94 is released?
I don't see any problem in enabling the experimental feature as long as it doesn't break anything. But as @SecurityNightmares said, most websites already use HTTPS for years. I think HTTPS Everywhere is redundant, only increases attack surface, makes your browser fingerprint more unique and doesn't bring any noteworthy value either.
 
F

ForgottenSeer 85179

Would you consider testing the experimental feature as referenced at the link above or would you wait until Q3 of this year as detailed at Changes to Chrome OS’s release cycle ...or maybe best to install HTTPS Everywhere until 94 is released?
If you're using beta browser (not recommend), then you can enable that option.
Else just wait :)

SecureKongo has already explained everything else (y)

 

always_forever

Level 1
Thread author
Jul 1, 2021
47
Important sites use HTTPS already for years.
I don't see any reason using an extension for that.

If you care, just block HTTP JavaScript and you're done. Much more effective
I like this idea a lot but I only see a "Don't allow sites to use Javascript" setting in Chrome unspecific to HTTP...Is that the setting you're referring to? I could just set it this way and manually enable Javascript when needed as well...
 
F

ForgottenSeer 85179

I like this idea a lot but I only see a "Don't allow sites to use Javascript" setting in Chrome unspecific to HTTP...Is that the setting you're referring to? I could just set it this way and manually enable Javascript when needed as well...
I can't speak for Chrome, but in Edge this is possible under website permissions:
1626291755457.png

Turning off JavaScript completely will break 99% sites and isn't recommend.
 

always_forever

Level 1
Thread author
Jul 1, 2021
47
I can't speak for Chrome, but in Edge this is possible under website permissions:
View attachment 259664

Turning off JavaScript completely will break 99% sites and isn't recommend.
For Chrome, someone in the Chrome web store suggested to disable javascript and then add https://* to follow the custom setting of "allowed to use javascript." This seems like a workaround but I'm not 100% sure yet and am testing.
 
Last edited:
F

ForgottenSeer 85179

For Chrome, someone in the Chrome web store suggested to disable javascript and then add https://* to follow the custom setting of "allowed to use javascript." This seems like a workaround but I'm not 100% sure yet and am testing.
It's more secure to block HTTP content than allow all HTTPS content. You don't want circumstance browser mitigations because of wrong settings.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
HTTPS Everywhere will go into End of life

“Afterwards, this will start the HTTPS Everywhere web extension EoL (End of Life) stage, which will be determined later after completing the sunset of HTTPS Everywhere Rulesets. By adding the DuckDuckGo Smarter Encryption Update Channel we can give everyone time to adjust and plan.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top