October 18, 2012
As most readers are no-doubt aware, I’m amped up on security issues in general, and data transmission specifically. I always keep an eye out for tools that can let people become more secure online with as little effort as possible, as if it’s difficult, most folks will ignore it.
Most readers also already know that Facebook, Twitter, and many other Social Media Sites and Networks have the ability to allow you to perform all communications between your browser and those sites via secured HTTP connections (https). The problem has always been that you have to change your settings from the defaults (and make sure they stay changed) or else manually change URL’s to be https:// instead of http:// each and every time. Otherwise, you go to the non-encrypted, non-protected version of the site by default. Some sites even have different URL’s for secure surfing (like Google’s encrypted.google.com domains) – taking the problem a step beyond just remembering to type https:// first.
Added to the manual steps, some sites only encrypt certain components of their sites, with other elements like images and videos remaining unencrypted by default. This opens up holes in the overall security of communication, and is unfortunately difficult to avoid. Your browser might ignore the issue completely, or worse yet it may spit back a “mixed content” message that causes more confusion than it helps with security. With browsers changing what secure URL’s versus mixed-content and insecure URL’s look like in the address bar (a padlock today, a green background tomorrow, who knows what next week…), making sure you’re secure is harder than ever.
I have, however, stumbled across a tool that can make it easy – and most importantly automatic – to always use HTTPS whenever it’s known to be available. The Electronic Frontier Foundation has released updated versions of HTTPS Everywhere – a browser plug-in (add-on, extension, etc.) that does just that.
Available only for Firefox and Chrome right now, but expanding to other browsers in future, this add-on has a list of sites known to support HTTPS (like Facebook, Twitter, Wikipedia, most banks, shops and other platforms) – and automatically forces your browser to connect via HTTPS and *only* HTTPS when you surf those sites. This eliminates the potential to get unencrypted data on encrypted pages, and removes the need to remember to go to the secured site each and every time you browse. In addition, the tool automatically changes your URL’s to the more secure version of some very popular sites – such as directing you to encrypted.google.com instead of just the HTTPS version of the regular google.com site.
The EFF, in the documentation and FAQ’s, clearly states that the tool can see what domain you are going to. It does not, however, track this information or report it back to the EFF themselves. Since anyone could see the domains you’re headed to if they get on the same network as you and sniff traffic (like from a coffee-shop WiFi hotspot), the tool doesn’t pose any additional risk than most of us already deal with in Social Media, and does limit a great deal of risk that’s out there otherwise.
Nothing is foolproof, and the whitelist of sites that HTTPS Everywhere uses is not all-encompassing. You still need to check and make sure that you’re on secure versions of your Social Networks and Sites. However, the tool makes it much easier to find out which networks support the secure communications systems and makes finding the higher-security versions of those sites happen without guesswork. Also keep in mind that some sites may not be properly formatted to work entirely over HTTPS, resulting in pages that render incorrectly or not at all. Luckily, the add-in provides a button that you can use to turn it off when necessary – and it should be used only when you’re sure you don’t need to be using HTTPS.
The EFF has made the tool and corresponding tool-kits available under the GNU licensing platform, so that other coders can extend it as time goes by. It’s also free to use for Firefox and Chrome, though you do have to follow the instructions on the site to install it properly. This means that you can start protecting yourself now, and that developers can continue to work on the project even if the EFF should decide they no longer wish to support it.
While nothing replaces common sense and care when using Social Media and other sites on the web, this tool is a good step in your overall security process. Take it slow, know where you’re surfing to and surfing from, and always confirm that you have reached the secured site you thought you were headed for.
Also, as always, keep in mind that even secure communication doesn’t protect you from posting updates that become public knowledge. Once you post, tweet, or blog something, it’s out there for everyone to see – HTTPS or not.