The Firefox add-on Firesheep has demonstrated the vulnerability of insecure connections with a bang. Users who use an unencrypted connection to access sites and services on public networks may have their information recorded by other users who record the network traffic. To put it in layman terms: You may be vulnerable to this kind of data snooping if you see http and not https in your browser’s address bar.
Http is bad and https is good for privacy and security reasons. That’s all there is to it. Most services allow both http and https connections to their sites, Facebook is an example. There are services, like Gmail, Google’s email service, that only allows https connections and will redirect http requests to https for increased security and privacy.
This tutorial takes a look at some of the possibilities to force https connections:
Mozilla Firefox
The NoScript add-on is the best option for the Firefox web browser. The add-on’s primary function is to block scripts from being executed automatically. It offers however several options to improve security further, with one of them offering to configure the browser to always use https connections for specific sites. To open the listing, click in Options on the status bar icon, then Advanced > HTTPS in the NoScript Options window.
Here it is possible to add sites where https should always or never be used. Facebook users would simply add facebook.com in the force text area. All connections to facebook.com from that moment on will be automatically redirected to https. A user entering http://www.facebook.com/ in the browser to log into Facebook will be redirected to https://www.facebook.com/ automatically. The same is true for all other pages on facebook.
Update: Please note that you need to keep the pulldown menu below Forbid active web content unless it comes from a secure (HTTPS) connection to Never, which is the default setting.
Google Chrome
As far as I know, there is not a comparable solution for the Google Chrome browser. There are however a few alternatives. The first is explained in the article Use Google Chrome For Secure Web Browsing. Google Chrome has a startup parameter called --force-https. If you start Chrome with that parameter only https connections are allowed. This makes the majority of websites inaccessible on the other hand.
Chrome does have a few extensions that force SSL for specific sites. Extensions are for instance available for Facebook
Update
Use HTTPS is a Chrome extension that can be used to configure specific sites to always use HTTPS connections.
Opera
Opera 11 alpha which has been released recently supports extensions. One of the extensions that is available for the web browser is Security Enhancer, which forces https connections on a few sites including twitter and several Google services. The extension has a bug currently where the http page is fully loaded before the redirection to the https page. There is also no option to add other sites to the listing.
Still, considering that it is an early version there is hope that the developer continues to improve the extension to resolve the bug and add customization.
Internet Explorer
There is a user script for Internet Explorer to force https on Facebook, but that’s it. There does not seem to be another option.
Firefox and Google Chrome benefit immensely from add-ons and extensions. In this case, they are the only two browsers with options to force https connections on custom websites. Opera is going to get an extension eventually that will add this functionality as well.
Did I miss an option? Let me know in the comments.
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter.Related Articles:
Force SSL HTTPS Connections In NoScriptHTTPS Everywhere Encrypts Connections, If Possible
Force Google HTTPS Search
HTTPS Everywhere 1.0 For Firefox Released
Google Redirects Your Search To Https? Change It!
Shouldn’t Mozilla ban Firesheep already?
Well Firesheep is only one way of snooping on connections, there are others as well.
writing facebook.com does not work,rather the site shows javascript is disabled.Anyway if I type https://facebook.com then after login it redirects to http://facebook.com/home.php.Isn’t it useless then ?
sami it works fine for me, maybe you have not enabled scripts for Facebook in noScript?
HTTPS Everywhere for Firefox is probably the best option. I don’t like NoScript.
https://www.eff.org/https-everywhere
Yes, you did miss an option for Windows (no need for browser add-on :
FireShepherd
Firesheep. Created to demonstrate our vulnerability on public wireless networks, but still a viable way for prying eyes to assume your identity. Enter FireShepherd, a Windows application that jams Firesheep to keep your browsing private.
FireShepherd is a tiny program that will work automatically once opened. Download it here. It operates simply—filling your current wireless network with benign junk data that tricks Firesheep into thinking it’s latched onto your personal info—and crashing it in the process.
So, it’s simple. Logging in at the library? At Starbucks? Pop open FireShepherd and browse in (relative) safety
http://gizmodo.com/5676841/how-to-keep-hackers-from-hijacking-your-accounts-with-firesheep?skyline=true&s=i
Well, that is only working if the attacker is using Firesheep, if not, the program is useless.
Google Chrome has also Fidelio extension :
Forces secure connections and secure cookies on sites specified by the user in the options page.
By default twitter.com and facebook.com are enabled.
The method used means that there is no cookie leak in the initial HTTP request, since cookies are re-written with the secure flag set.
http://github.com/nikcub/fidelio#readme
If you change the setting from Never to Always it wil screw up your visit to some sites. Also, adding sites one-by-one isn’t really the answer.
I know that always will screw up some sites. I did activate it as a test though.
KB SSL Enforcer is a great extension for chrome. It will try to surf https over http everywhere you go, keeps a whitelist of where it works, and a blacklist of places it doesn’t.
Great blog! I genuinely love how it is easy on my eyes as well as the details are well written. I am wondering how I can be notified whenever a new post has been made. I have subscribed to your rss feed which need to do the trick! Have a nice day!
https://chrome.google.com/extensions/detail/hgnokomidnmbklcnmongappmfklabemf?hl=en
Works for all sites that have https, just add them to the list.
I want to force Adsense to go through HTTPS
I don’t know why it’s not already default in innovative browsers like chrome, ff and opera that ssl is enforced whenever possible.
It would be a huge plus in security, and sicne it’s a security issue, it shouldn’t be handled by extensions and alike.
Maybe a integrated ssl enforcement could be a door for exploits?
Anyway, an extension most likely will be that, and since the guy who wrote NoScript did something evil (I forgot what exactly but you can just google it) I don’t trust him or his software anymore, and I don’t want any extension that is in control of my security options.
Dunno bout ff and chrome, but when I enter https in the url of site that doesn’t support ssl it just loads the normal http version.
So it shouldn’t be an issue to have it try ssl first, or at least have that as an option.
I couldn’t tell a delay in loading…
Chrome extension is available at http://bit.ly/https-evr