camo7782

Level 3
First, installing on Firefox it is being blocked by Firefox and need a confirmation.

After installing I see it has two checks, I'm wondering what is the first check doing when the second is disabled, anyone that knows?

 

HarborFront

Level 46
Content Creator
Verified
IMO, it's not necessary to have HTTPS Everywhere extension. Reasons being

1) Most of the sites nowadays are HTTPS although some sites still are HTTP
2) The website may contain Mixed content (i.e. the content on the website is not 100% secure or unencrypted) resulting in the insecure content (e.g. images) portion subject to abuse. HTTPS Everywhere cannot force these sites to be HTTPS
3) The green padlock icon is no longer an indication that the website is safe for it can be phished. A study showed that 49% of the phishing sites carry the green padlock icon. Read below

 
Last edited:

Moonhorse

Level 26
Content Creator
Verified
It gives you feeling like youre being protected, but otherwise its not that useful, in worst cases it just breaks website

Chrome users may aswell set chrome flag to ''mark non secure websites as dangerous''
 

Nightwalker

Level 14
Content Creator
Verified
HTTPS isnt about phishing protection (it never was), it is all about session hijacking and privacy protection.

Combined with a Secure DNS (DNSSEC support/Simple DNSCrypt), HTTPS Everywhere offers a reasonable secure environment, specially if your browser supports Encrypted SNI.

Is it necessary to have this extension? No, but it is still nice to have it on all the time to avoid HSTS attacks and ISP code injections.

Reference:
 

Threadripper

Level 6
It gives you feeling like youre being protected, but otherwise its not that useful, in worst cases it just breaks website

Chrome users may aswell set chrome flag to ''mark non secure websites as dangerous''
That's okay for the main website, but what about every connection a website makes to other domains?
 

SeriousHoax

Level 2
Verified
You don't need to turn that option on. That would break HTTP sites. Don't change anything. Just install & forget.
 

Nightwalker

Level 14
Content Creator
Verified
is this something for laptops only? can a session be sniffed while using a wired router?
Yes it can, for example your ISP can make a man in the middle attack and inject code while you are browsing, others attackers can do it too, but it is much harder (ARP poisoning or HSRP spoofing ).
 
  • Like
Reactions: Burrito

camo7782

Level 3
Yes it can, for example your ISP can make a man in the middle attack and inject code while you are browsing, others attackers can do it too, but it is much harder (ARP poisoning or HSRP spoofing ).
but for this to work do I need the second check always on? Or the first one is enough to enforce SSL (if present) without calling the server first?