User:Mjb/HTTPS Everywhere

From Offset
Jump to navigationJump to search

The EFF makes available HTTPS Everywhere, which is a free extension for Firefox and Chrome web browsers. It encrypts, from end to end, the content of as much of your web browsing as possible. It does this by making your browser rewrite http: URLs to https: URLs, according to site-specific rules defined in files distributed with the extension.

The net effect of having this extension installed is that when you visit a site via HTTP, and there's an HTTPS version of the page available (according to the rules, at least), your browser will try to get the HTTPS version, as if you had typed or followed an https: link instead of http: one.

I believe the extension is actually a general URL rewriter. What makes it rewrite HTTP URLs to HTTPS URLs is the rulesets.

There are some downsides:

  • Rules are often out-of-date, and certainly don't cover as many websites as they could.
  • Rules are only maintained by developers, and are pushed to users only through updates to the extension; there's no external database that the rules can be fetched from.
  • Rules can't be customized from within the browser.
  • The Chrome version of the extension isn't as robust as the Firefox version.
  • In Chrome, custom rules are lost when the extension automatically updates (see below).
  • Use of HTTPS limits content caching, resulting in extra network traffic & server load as frequently-accessed content is reloaded.
  • Use of HTTPS doesn't hide the fact that you're communicating with a particular IP address via HTTPS; it just prevents eavesdropping on the content itself.
  • Use often results in mixed content (HTML served via HTTPS, but scripts/CSS/widgets/etc. served via HTTP), which isn't very secure.

Despite the downsides, I generally like using the extension, and it prompted me to figure out that it wasn't all that difficult to configure HTTPS on my own website.

Custom rulesets

Here's a custom ruleset for this server:

<ruleset name="skew.org">
  <target host="skew.org" />
  <target host="offset.skew.org" />
  <rule from="^http://(offset\.)?skew\.org/" to="https://$1skew.org/"/>
</ruleset>

This says that when accessing a URL whose host component is skew.org or offset.skew.org (the two sites for which my SSL certificate works), rewrite the URL, replacing http with https, and retaining the offset. part, if present. The ruleset name doesn't matter.

Save it to a file and give the file a name like skew.org.xml.

Firefox

  • Visit about:support and click "Profile Directory" to get the path of the profile folder.
  • In your OS, go to that folder.
  • Put the XML file(s) in an HTTPSEverywhereUserRules subfolder (create it if necessary).
  • Restart Firefox.

Chrome

  • In your OS, go to the folder where the HTTPS Everywhere extension was installed. On Windows, that's %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcbommkclmclpchllfjekcdonpmejbdp\VERSION (replace VERSION, of course).
  • Put the XML file(s) in the rules subfolder.
  • Edit rules.js and add the new file(s) to the list, like this (THEFILE.xml is the new ruleset):
    var rule_list = ["rules/default.rulesets","rules/THEFILE.xml",];
  • Restart Chrome.

Chrome will silently update the extension automatically when a new version is available. The updated version completely replaces your old one, so you lose all the customizations. Therefore, I suggest keeping a copy of rules.js and the custom ruleset XML in a safe place so you can just drop them in when you notice the custom rules aren't working anymore. This requires that you be aware enough to notice when the rules stop working.