lwn articles έγραψε:HTTPS Everywhere brings HTTPS almost everywhere
June 30, 2010
This article was contributed by Nathan Willis
Widespread end-to-end encryption for online communication often seems like a pipe dream: few email users bother with PGP, still fewer VoIP users ever use SRTP or ZRTP. But the one area where the general public has caught on to the need for secure transport channels is in web traffic, thanks to electronic commerce. The Electronic Frontier Foundation (EFF) recently released a Firefox extension called HTTPS Everywhere that leverages the widespread availability of HTTPS connections among popular Internet services. HTTPS Everywhere automatically rewrites URLs for a variety of providers, from software-as-a-service offerings to news outlets. The add-on is not configured to rewrite every URL by default, but it is a plug-and-play security enhancement.
In the initial HTTPS Everywhere announcement on June 17, Peter Eckersly said that the inspiration for the project was Google's launch of an HTTPS-encrypted search service in May. He later told ZDNet that the initial goal of the add-on was to create a tool to encrypt all Google searches (the Google HTTPS service initially worked only through the
http://www.google.com domain and not the localized, international Google sites), but was quickly extended to other sites once the team — which also includes volunteers from the Tor (aka The Onion Router) project — found how simple it was.
HTTPS Everywhere is built on top of code that originated in the NoScript project, modified both to be easier to use and with additional functionality. Thus far, the extension is only available on the EFF's project page, not through the official Mozilla Add-ons site. The latest release is 0.1.2, though unfortunately no Firefox version-compatibility information is provided.
When installed, the extension provides a very simple preferences interface: a single pop-up window with checkboxes for each supported site or service. The result is instantaneous rewriting of URL requests to keep traffic on TLS or SSL encrypted HTTPS connections — including the initial request and subsequent internal links. The effect of checking or unchecking a site is instantaneous as of the next URL request; however it should be noted that previously-rewritten URLs already in the location bar or history are not "reverted" merely by changing the extension's preferences.
What it does
HTTPS Everywhere works by rewriting URLs based on matching requests against a series of regular-expression-based rules. Each rule is specific to a service, so that users can deactivate particular rules if they prove problematic. That is a valid concern, as some sites provide HTTPS connections, but do not offer the same services as they do over HTTP. Google Search, for example, supports web, video, news, books, blog, microblog, and forum content over HTTPS, but not image or shopping content. Many users have reported that using Facebook's HTTPS service disables the built-in chat client.
The current list of supported sites includes Google's search and services (such as Gmail and Google Voice) as separately-selectable options, as well as Facebook, Identi.ca, Twitter, the DuckDuckGo, Scroogle, and Ixquick search engines, Wikipedia, the New York Times, the Washington Post, the EFF, Mozilla, and Tor sites, San Francisco hacker space Noisebridge, and the Gentoo project's Bugzilla. Users can write their own URL matching and rewriting rules by following a tutorial at the HTTPS Everywhere site. Authors are encouraged to send in their creations to the project for possible inclusion in subsequent releases.
Rule sets use a simple XML format; each ruleset element can contain one or more rule elements with a "from" and "to" pattern to map the rewriting required. The patterns use JavaScript regular expressions, which is part of why HTTPS Everywhere can provide more redirects than NoScript's simple HTTP-to-HTTPS replacement.
An example from the site is Wikipedia, which runs an HTTPS server at secure.wikimedia.org, but not at the language-specific host names, such as sm.wikipedia.org or uk.wikipedia.org. HTTPS Everywhere's ruleset rewrites
http://en.wikipedia.org/wiki/Example to
https://secure.wikimedia.org/wikipedia/en/wiki/Example. HTTPS Everywhere also supports exclusion rules to work around HTTP-only subdomains in an otherwise HTTPS-supported domain, and it can gracefully downgrade to HTTP for sites that automatically redirect HTTPS requests to HTTP, without getting trapped in a loop .
Eckersly said that he hopes NoScript will be able to incorporate some of HTTPS Everywhere's enhancements back into its own extension, but for the foreseeable future intends to keep offering HTTPS Everywhere as its own, easy-to-use alternative.
What it doesn't
HTTPS Everywhere simply rewrites the outgoing URL requested by the browser, so it is only of use with sites already running an HTTPS server. Tor, in contrast, provides an encrypted first-step channel into the anonymous Tor network for every site visited, though the last step link from Tor to HTTP-only web sites is, of course, not encrypted.
EFF points out that users using HTTPS Everywhere may still see the broken-lock icon in Firefox for some sites, because many services use HTTP servers for some of their own page content (such as images) and to include insecure third-party content.
It is also important to note that while HTTPS encrypts the connection to the server and the resource path portion of the requested URL, the server name portion of the request is still visible (not only through setting up the connection, of course, but also potentially via DNS lookup). In addition, although HTTPS Everywhere can encrypt cookie requests over HTTPS, it does not provide the stronger cookie-management policies of NoScript. Thus, while eavesdroppers and credential thieves will be set back by HTTPS Everywhere, it does not encompass every security and privacy feature.
Finally, the genuinely paranoid no doubt know that encryption does not mean anonymity. Your IP address is visible in every request, and user tracking can be performed in many esoteric ways without peeking at the contents of the sites you read. The latter danger is ingeniously displayed by EFF's own Panopticlick, which gathers potentially trackable information from request headers, browser plugins, fonts, and other system information.
Security everywhere
The HTTPS Everywhere page discusses several similar secure-browsing alternatives, in addition to the aforementioned NoScript and Tor. Sid Stamm's Force-TLS is a Firefox extension that implements Strict Transport Security (STS) — although STS itself does not encrypt the initial request, it only tells the user agent to use HTTPS for subsequent requests, making it marginally less secure. Stanford's ForceHTTPS also includes a custom database of URL rewriting schemes, but was only released as a prototype in 2008, supporting Gmail and a handful of banking web sites.
The Chrome extension KB SSL Enforcer receives a little heat on the HTTPS Everywhere site, because it loads both HTTP and HTTPS requests for each page, thus potentially exposing the HTTP page to eavesdroppers. According to the developer, this is due to limitations in Chrome's APIs. Eckersley said that HTTPS Everywhere uses multiple Firefox APIs, including nsIObserver, nsIContentPolicy, and nsITraceableChannel, to try to capture every request path — even favicons and requests initiated by other add-ons — but still welcomes further networking testing by users.
The project reports that it has received dozens of user-contributed rulesets, including many for high-traffic sites, but that merging them all into a new default rule set for the next release will take some time. A 0.2.x "development" branch XPI installer was uploaded to the site on June 29th, which incorporates some of these additions.
Privacy and security online is a non-stop arms race between exploit-crafters and those making tools to thwart them. In that context, HTTPS Everywhere is not a perfect solution, but for many people it is an excellent, easy-to-use way to secure a large chunk of their daily web traffic.
