Advice Request HTTPS Everywhere, should be always on?

Please provide comments and solutions that are helpful to the author of this topic.

camo7782

Level 4
Thread author
Verified
Apr 29, 2019
168
First, installing on Firefox it is being blocked by Firefox and need a confirmation.

After installing I see it has two checks, I'm wondering what is the first check doing when the second is disabled, anyone that knows?

c5bbbdd4.jpg
 
  • Like
Reactions: JB007

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
IMO, it's not necessary to have HTTPS Everywhere extension. Reasons being

1) Most of the sites nowadays are HTTPS although some sites still are HTTP
2) The website may contain Mixed content (i.e. the content on the website is not 100% secure or unencrypted) resulting in the insecure content (e.g. images) portion subject to abuse. HTTPS Everywhere cannot force these sites to be HTTPS
3) The green padlock icon is no longer an indication that the website is safe for it can be phished. A study showed that 49% of the phishing sites carry the green padlock icon. Read below

 
Last edited:

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
HTTPS isnt about phishing protection (it never was), it is all about session hijacking and privacy protection.

Combined with a Secure DNS (DNSSEC support/Simple DNSCrypt), HTTPS Everywhere offers a reasonable secure environment, specially if your browser supports Encrypted SNI.

Is it necessary to have this extension? No, but it is still nice to have it on all the time to avoid HSTS attacks and ISP code injections.

Reference:
 

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
It gives you feeling like youre being protected, but otherwise its not that useful, in worst cases it just breaks website

Chrome users may aswell set chrome flag to ''mark non secure websites as dangerous''
That's okay for the main website, but what about every connection a website makes to other domains?
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
is this something for laptops only? can a session be sniffed while using a wired router?

Yes it can, for example your ISP can make a man in the middle attack and inject code while you are browsing, others attackers can do it too, but it is much harder (ARP poisoning or HSRP spoofing ).
 
  • Like
Reactions: Burrito

camo7782

Level 4
Thread author
Verified
Apr 29, 2019
168
Yes it can, for example your ISP can make a man in the middle attack and inject code while you are browsing, others attackers can do it too, but it is much harder (ARP poisoning or HSRP spoofing ).
but for this to work do I need the second check always on? Or the first one is enough to enforce SSL (if present) without calling the server first?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top