HTTPS Everywhere, should be always on?
- Thread starter camo7782
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
IMO, it's not necessary to have HTTPS Everywhere extension. Reasons being
1) Most of the sites nowadays are HTTPS although some sites still are HTTP
2) The website may contain Mixed content (i.e. the content on the website is not 100% secure or unencrypted) resulting in the insecure content (e.g. images) portion subject to abuse. HTTPS Everywhere cannot force these sites to be HTTPS
3) The green padlock icon is no longer an indication that the website is safe for it can be phished. A study showed that 49% of the phishing sites carry the green padlock icon. Read below
www.thesslstore.com
1) Most of the sites nowadays are HTTPS although some sites still are HTTP
2) The website may contain Mixed content (i.e. the content on the website is not 100% secure or unencrypted) resulting in the insecure content (e.g. images) portion subject to abuse. HTTPS Everywhere cannot force these sites to be HTTPS
3) The green padlock icon is no longer an indication that the website is safe for it can be phished. A study showed that 49% of the phishing sites carry the green padlock icon. Read below
HTTPS Phishing: 49% of Phishing Websites now sport the green padlock
HTTPS phishing has never been more prevalent, half of all websites now have the green padlock icon. We need to have a different discussion about HTTPS.
www.thesslstore.com
Last edited:
- May 29, 2018
- 2,756
It gives you feeling like youre being protected, but otherwise its not that useful, in worst cases it just breaks website
Chrome users may aswell set chrome flag to ''mark non secure websites as dangerous''
Chrome users may aswell set chrome flag to ''mark non secure websites as dangerous''
- May 26, 2014
- 1,347
HTTPS isnt about phishing protection (it never was), it is all about session hijacking and privacy protection.
Combined with a Secure DNS (DNSSEC support/Simple DNSCrypt), HTTPS Everywhere offers a reasonable secure environment, specially if your browser supports Encrypted SNI.
Is it necessary to have this extension? No, but it is still nice to have it on all the time to avoid HSTS attacks and ISP code injections.
Reference:
www.infoworld.com
www.eff.org
Combined with a Secure DNS (DNSSEC support/Simple DNSCrypt), HTTPS Everywhere offers a reasonable secure environment, specially if your browser supports Encrypted SNI.
Is it necessary to have this extension? No, but it is still nice to have it on all the time to avoid HSTS attacks and ISP code injections.
Reference:
Code injection: A new low for ISPs
Beyond underhanded, Comcast and other carriers are inserting their own ads and notifications into their customers’ data streams
www.infoworld.com
How HTTPS Everywhere Keeps Protecting Users On An Increasingly Encrypted Web
Way back in 2010, we launched our popular browser extension HTTPS Everywhere as part of our effort to encrypt the web. At the time, the need for HTTPS Everywhere to protect browsing sessions was as obvious as the threats were ever-present. The threats may not be as clear now, but HTTPS...
- Feb 24, 2019
- 408
HTTPS Everywhere is essential, and that second option you were asking about blocks HTTP connections.
- Feb 24, 2019
- 408
That's okay for the main website, but what about every connection a website makes to other domains?
- Mar 16, 2019
- 4,043
- Apr 29, 2019
- 168
is this something for laptops only? can a session be sniffed while using a wired router?
- May 26, 2014
- 1,347
Yes it can, for example your ISP can make a man in the middle attack and inject code while you are browsing, others attackers can do it too, but it is much harder (ARP poisoning or HSRP spoofing ).
- Apr 29, 2019
- 168
but for this to work do I need the second check always on? Or the first one is enough to enforce SSL (if present) without calling the server first?
- May 26, 2014
- 1,347
Just use default settings, the second check will block all unencrypted requests and thats isnt a good idea.
Similar threads
