HTTPS everywhere to use it or not?

Discussion in 'privacy technology' started by ace2564, May 1, 2016.

  1. ace2564

    ace2564 Registered Member

    Joined:
    Mar 26, 2016
    Posts:
    22
    Location:
    NYC
    My understanding is HTTPS everywhere encrypts connection between computer and website. But why would I need to care if google news site connection is encrypted? Besides I am already using VPN which encrypts all of my traffic.
    To use it or not then?
     
  2. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    301
    Location:
    Swiss
    No need to use it if you anyway behind an VPN. This addon is and always was problematically, some sites may not work 100% or you get sometimes timeouts. As internet itself is changing due letsencrypt I think for normal surf user it does't matter much. I think the most dangerous is not that the page isn't secured it's more about external content which could be infected like malware advertisment from 3th-party or wrongly implemented stuff which poossible tracks you, HTTPSE not protects you against any of this.
     
  3. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    491
    Location:
    Earth .... occasionally
    I agree with all you say there CHEFKOCH.

    I would just add that for people who don't use a VPN , I think "HTTPS Everywhere" still has some value .
    There have been some recent postings here about visiting this website and HTTPS.
    .... I'll try and find the link :)
     
  4. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    I take the benefit of httpseverywhere without using it with my browsing habits.
    - I always browse in InPrivate browsing mode. And load all https sites with in normal session, so the urls will be saved in the browser.
    - Next anytim i go to that site, i do it in private mode..
     
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    It forces HTTPS where that can be done without causing significant breakage. I don't know what their breakage threshold is, or for that matter what their coverage is, but those are things to think about. Some might prefer to hard code some rules of their own.
    What you do, or don't, care about hasn't been clarified and is up to you to decide. However, there are situations where someone would want their communications with a site to be protected from intermediaries. So lets just focus on that for a moment.

    A server, and the content it serves, can be configured to restrict you to HTTPS. However, many servers do not do this. Some of those that don't do in fact support HTTPS. They just don't force it on users. You'll get HTTP if you enter that way, and HTTPS if you enter that way. Forcing HTTPS for these servers will assure you get HTTPS even if you forget to type it, or click on the wrong link or bookmark, etc.

    Some sites serve mixed content, either on purpose or by accident. You could even be forced into HTTPS at first, but for some sub-resources and/or in some sections of the site you'll run into either pages or embedded content that is fetched via HTTP. You'll want to understand how your browser/setup handles this. Forcing HTTPS can be beneficial in this type of scenario as well.

    Some might find forcing HTTPS helpful in an AV scenario if they allow the AV access to HTTP but not HTTPS.
    Only between the VPN client and VPN server. Your VPN provider, plus intermediaries between your VPN provider and the servers you contact, will see normal traffic. If that normal traffic is HTTP rather than HTTPS, you'll be exposing information.
     
  6. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    769
    Location:
    SW USA
    Use it. Or not. Everyone has answered the question for themselves already. However...

    HTTPS Everywhere isn't. Everywhere.
    Depends on the rules:
    https://www.eff.org/https-everywhere/atlas/
    And you can build your own. I forget where the tutorial is.

    It's also got an SSL Observatory option:

    SSLobservatory.jpg
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    HTTPS Everywhere may not force HTTPS if it doesn't like the certificate. Better just type "https" ;)
     
  8. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I'm not sure how to interpret that. Would you mind providing an example? Hypothetical is fine, I'm just trying to figure out if you are describing a good or bad or mixed thing.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I've been using HTTPS Everywhere for years, there isn't much breakage. Found only 1 broken site last year.

    Btw, manually typing HTTPS in your URL bar only affects the main domain, HTTPS-E can also secure 3rd party domains.

    +1

    It may not be information worth protecting in the traditional sense, but why would governments performing mass surveillance have the right to know what news articles everyone is reading?
    Before the internet age, a lot of stuff like normal face 2 face conversations, the books you read, the articles you read in the newspaper etc etc were still private, because they didn't go over the wire. Now all that information is ripe for harvesting.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    There's a thread from a while back where it wasn't forcing HTTPS for Wilders :)
     
  11. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    It's basically what BoerenkoolMetWorst said: there's no reason that data should be easily available for third parties if it doesn't have to be. Schneier always talks about how surveillance is about economics, and the less economical it is to monitor/collect/mine traffic, the less likely it is to be done in a catch-all net fashion. The more Internet traffic is encrypted, the better off we all are.

    https://www.eff.org/pages/tor-and-https
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Wilders had a self signed certificate. If the extension was to force HTTPS, every Wilders user would be met with a giant, scary warning. I don't think the website operators (Wilders in this case) would appreciate that, hence, HTTPS is only forced where it actually works.

    Since then, Wilders upgraded to a trusted certificate and the extension was updated to now force HTTPS.
     
  13. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    It does break website content, so I had stopped using it. Tested it again because some sayed it doesn't.
    I give an example:
    http://www.iltasanomat.fi/kotimaa/art-2000001172740.html

    I will have to disable Adtech.de (partial) to be able to see the video.

    It would be ok to keep running Https Everywhere, if it was possible to disable it in the above link domain for the 3rd parties. But the only option is to disable it globally. Or to hunt down what brakes the content. Too much a bother when running other blockers like uBO, to always know/find out what extension is doing the blocking.
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,129
    Location:
    USA
    Yes :thumb:

    https://www.eff.org/observatory

    "The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded datasets of all of the publicly-visible SSL certificates on the IPv4 Internet, in order to search for vulnerabilities, document the practices of Certificate Authorities, and aid researchers interested the web's encryption infrastructure."
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    You CAN disable it per domain, I'm not sure where you're looking, but in Chrome, simply click the icon to show the dropdown menu.

    The website you linked seems to have multiple issues, it requires adblock and HTTPS-E (Adtech.de) disabled and flash enabled for the video to work. It will need further digging.
     
  16. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Nothing needs any digging when things are as they are. AdBlock maybe needs disabled, uBO needs only green allow that german ad site. My point of the post was to give an example that HTTPS _E can break sites too.
    That HTTP-E needed that disabling.
     
  17. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Your post stated incorrect facts, I merely pointed them out.

    It does need digging if you want them fixed, the alternative is whining about it and doing nothing.
     
  18. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    I don't see in a GUI any option to disable HTTPS Everywhere on a domain basis. That is one serious wish feature. Stupid to keep disabling 3rd party rules as an only option or then to globally disable the extension.
     
  19. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    I use HTTP-Everywhere because it enables https on all sites that support it, but most importantly without breaking them.

    But that is not the main reason I use it. I use it mainly because of it's Observatory, which is a valuable tool.
     
  20. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,205
    Location:
    in a remote land :)
    i use it especially for shifting Wilders to Https :D
     
  21. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Chrome version does not have that feature except if it is for 'adding a rule to this site', but Firefox one has. I'm not familiar with that Observatory. Just again using the extension on both browsers, since it does not break too many sites.
     
  22. EvjlsRain

    EvjlsRain Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    20
    I tried to use it for a few days but the only problem that I had to remove it because it took 90mb of ram on startup and will increase each time I opened new tabs. 90mb is a lot and should not be like for such extensions
     
  23. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    90MB is NOT a lot, sorry, this is 2016. It is perfectly normal for such extensions, they contain giant lists of rules (the websites it needs to change to https).

    That being said, there have been database optimizations made in recent versions, but you can only do so much.

    I think I understand what you're saying now. You mean you want an option to disable HTTPS Everywhere when you land on a specific site instead of disabling the individual rules in the dropdown?
     
  24. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    I have used it, I don't now.
     
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,129
    Location:
    USA
    How are you arriving at 90 mb? The extension "about:addons-memory" displays a list of the memory usage of individual addons/extensions. HTTPS Everywhere is currently using 6.5 megabytes on my list.

    https://addons.mozilla.org/en-US/firefox/addon/about-addons-memory-2016/?src=userprofile
     
Loading...