Https encrypts the traffic between the user’s computer and the server. The core benefit here is that it protects the data from network snooping. That’s handy if you are using a public computer, are in a computer network or do not want your ISP or your boss to find out what you are doing on a particular site that has https enabled.

Yesterday Google announced that they have enabled forward secrecy by default.

Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.

Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.

Perfect forward secrecy basically makes sure that attackers cannot use private keys that they have obtained in the future can not be used to compromise data that has been recorded in the past.

Forward secrecy has been enabled for Google Mail (Gmail) and other Google services that use the https including SSL search, Google Docs and Google+.

The only browsers currently supported are Google Chrome and Firefox on all platforms and Microsoft’s Internet Explorer on Vista or later.

Google has also made available the work that they did on the open source OpenSSL library that made the implementation of forward secrecy possible. You can read the original announcement over at the Google Online Security blog.

Google as a reaction moved encrypted search to its own subdomain under https://encrypted.google.com/ which seemed to have resolved the issue at that time.

Yesterday Google made the announcement that they will roll out encrypted search for logged in users automatically on google.com. What this means is that logged in Google users will be automatically redirected to https://www.google.com/ from http://www.google.com/. Users who are not logged in can access the encrypted page directly or use the standard unencrypted search page instead.

The core benefit of https over http is that the traffic is encrypted. Encryption means that attackers, employees or the user’s Internet Service Provider (ISP) cannot spy on the traffic that is exchanged between the user’s PC and the Google server. They do not see what a user does on Google.

The very same people do see the properties that users access after leaving the encrypted Google domain, for instance by clicking on a search result. And Google, obviously, sees it all just like before.

Google will roll out the feature for all of the company’s users in the coming weeks. The move to https could become a serious issue for web statistics applications as webmasters will no longer see the search query that their users came from in web statistic apps.

These information are often used to optimize the site for a particular keyword or group of users.

Google notes that webmasters will still be able to see the top 1000 search queries in Google Webmaster Tools. And with the integration of some Webmaster Tools data in Google Analytics, one could wonder if Google is intentionally favoring their own web traffic analysis solution with the move.

Other search engines, Ixquick comes to mind, have been offering encrypted search for some time as well.

What’s your take on encrypted search? (Google Blog, via)

The extension is useful in situations where websites support both the http and https protocol without a clear distinction between the two protocols, or options to always use https when a user is connecting to the website.

HTTPS Everywhere basically ensures that https is always used when connecting to one of the supported properties. Connections that are initiated by the user via http are automatically switched over to https in this case.

The add-on options list all supported websites and services. It offers a search to find a specific site and a switch to enable or disable the https redirection.

Web users who know their way around regular expressions can even create their own rulesets to add support for websites and services that are not included in the default site listing.

New users to HTTPS Everywhere should take a look at the extensive FAQ section at the development site over at EFF.org for detailed information about the add-on and how it protects the user.

It may happen that HTTPS Everywhere breaks some part of a website, which can usually be attributed to inconsistent support for HTTPS on those sites. The only option then is to disable the rule and report the problem to the company or individual running the website.

HTTPS Everywhere can be installed directly from the EFF website. Cautious users can look at the source code of the project which is also available on the project site. (via)

Twitter unfortunately decided to make HTTPS an optional setting, which means that you have to activate it before it can be used to automatically protect the account. Here is how that is done.

Enable HTTPS On Twitter

Visit the Twitter homepage and log into your account. You need to click on your username after the log in and select Settings from the context menu that is displayed.

This loads a new page with all available account settings. HTTPS Only is available under Account, which should be the active tab under settings.

Scroll down to the very bottom of the settings page and put a checkmark into the HTTPS Only, Always use HTTPS checkbox.

You need to enter your password to verify the change after clicking on the Save button.

Take a look at the web address after you have enabled HTTPS on Twitter. The url should begin with https:// on every Twitter page.

It is still necessary to load the Twitter homepage by entering https://www.twitter.com/ into the address bar, as the always HTTPS setting becomes active during login. Users who stay logged in on Twitter on the other hand do not have to put https in front as Twitter will make the switch automatically.

The always on setting has another drawback currently. Users who access Twitter with mobile devices still need to access https://mobile.twitter.com to use HTTPS when connecting to the website.

Twitter is working on a solution to enable the Always use HTTPS setting “across twitter.com and mobile.twitter.com”. The developers have announced plans to make HTTPS the default option eventually.

Lastly, users who connect to Twitter via third party applications should check the settings to see if the software programs offer HTTPS support. (via)

Http is bad and https is good for privacy and security reasons. That’s all there is to it. Most services allow both http and https connections to their sites, Facebook is an example. There are services, like Gmail, Google’s email service, that only allows https connections and will redirect http requests to https for increased security and privacy.

This tutorial takes a look at some of the possibilities to force https connections:

Mozilla Firefox

The NoScript add-on is the best option for the Firefox web browser. The add-on’s primary function is to block scripts from being executed automatically. It offers however several options to improve security further, with one of them offering to configure the browser to always use https connections for specific sites. To open the listing, click in Options on the status bar icon, then Advanced > HTTPS in the NoScript Options window.

Here it is possible to add sites where https should always or never be used. Facebook users would simply add facebook.com in the force text area. All connections to facebook.com from that moment on will be automatically redirected to https. A user entering http://www.facebook.com/ in the browser to log into Facebook will be redirected to https://www.facebook.com/ automatically. The same is true for all other pages on facebook.

Update: Please note that you need to keep the pulldown menu below Forbid active web content unless it comes from a secure (HTTPS) connection to Never, which is the default setting.

Google Chrome

As far as I know, there is not a comparable solution for the Google Chrome browser. There are however a few alternatives. The first is explained in the article Use Google Chrome For Secure Web Browsing. Google Chrome has a startup parameter called --force-https. If you start Chrome with that parameter only https connections are allowed. This makes the majority of websites inaccessible on the other hand.

Chrome does have a few extensions that force SSL for specific sites. Extensions are for instance available for Facebook

Update

Use HTTPS is a Chrome extension that can be used to configure specific sites to always use HTTPS connections.

Opera

Opera 11 alpha which has been released recently supports extensions. One of the extensions that is available for the web browser is Security Enhancer, which forces https connections on a few sites including twitter and several Google services. The extension has a bug currently where the http page is fully loaded before the redirection to the https page. There is also no option to add other sites to the listing.

Still, considering that it is an early version there is hope that the developer continues to improve the extension to resolve the bug and add customization.

Internet Explorer

There is a user script for Internet Explorer to force https on Facebook, but that’s it. There does not seem to be another option.

Firefox and Google Chrome benefit immensely from add-ons and extensions. In this case, they are the only two browsers with options to force https connections on custom websites. Opera is going to get an extension eventually that will add this functionality as well.

Did I miss an option? Let me know in the comments.

But there is also a distinction between verified and unverified hosts. Verified hosts are shown with a green background, unverified hosts with a blue background, even though both offer the same level of encryption.

firefox https indicator

The Firefox add-on URL Security adds another visual indicator, so that it becomes easier to identify https sites on first glance. The add-on changes the background color of the address bar to green whenever a https website is accessed in the browser.

url security

The developer announced plans to change the background color to blue if the host is unverified, which would mimic the standard Firefox https coloring scheme. Currently, both verified and unverified hosts show a green background color.

URL Security works right after installation. The add-on is compatible with Firefox 3.6 to 4, and can be downloaded directly from the Mozilla Firefox add-on repository.

The add-on is no longer needed as Firefox is now displaying better indicators in the address bar natively.

Connections to those websites will automatically be switched to the encrypted https channel for extra security.

https everywhere

All available sites are enabled by default with the option to disable them individually. That’s great as some sites might not be offering all of their services if encryption is used. Google Search is an example where some functions are not available if encryption is used.

Why would anyone want to use encryption for these sites? Encryption makes sure that third parties, for instance users in the same computer network or the Internet Service Provider, are not able to “see” what the user is doing on a site. They do not see which pages are requested nor other forms of interaction.

But there are other benefits as well. HTTPS connections might sometimes work where http connections do not. This depends on the rule set of the computer network or individual computer system. It can sometimes also be used to bypass some web filters.

Websites that are offering encryption but are not already included in the add-on can be added by editing the XML file that is created during installation. Configuration examples are provided on the EFF website. A basic understanding of JavaSript regular expressions is needed to configure new web services to always use HTTPS.

HTTPS Everywhere is available from the Electronic Frontier Foundation website. Firefox will display a small notification window on top with an option to allow the host to offer add-ons for installation. The installation will only commence if the user clicks the allow button in the notification.

It was for one not possible to use all Google services. Google Image search was for instance not available for users who used the https version of Google.

Organizations, companies and schools had to deal with another problem. Employees and students who used the secure version of Google Search were able to bypass some school’s content filters allowing them to access sites and content’s that were blocked in the network.

Some schools began to block encrypted search which had another side effect. Google services that relied on encryption like Gmail or Google Apps stopped working as they were making use of SSL as well.

Dave Girouard, President, Google Enterprise explained in a blog post what Google decided to do about it. A first step is to move encrypted search to a new hostname so that schools can block that new hostname without blocking the other Google secure services offered at the main Google domain.

The long term plan however is to offer encrypted search at the main Google Search domain. It is not yet clear how this will be offered but a likely scenario is to move the authentication to its own hostname.

Expect a new secure Google Search url soon. It is likely that the old url will automatically redirect to the new one.

Https sites are widely known in the financial sector, on shopping sites and during log ins.The session-wide encryption ensures that information entered in a session is safe from being intercepted by another user in the computer network.

Internet users can verify that the connection uses SSL by looking at the url in the address bar. The connection is secure if it begins with https. Google has created a new logo to further inform users. The Google SSL logo is another visual indicator that SSL is used to connect to Google.

In this stage SSL is only enabled for Google web search and not for other services offered by Google such as Google Maps or Google Images.

Users might also experience a slower than regular Google search experience due to the additional step of establishing a secure connection.

It has to be noted that SSL does not provide complete security. A user connecting to Google https can be sure that the traffic (like search phrases) will be encrypted while on the Google website. Most search results on the other hand make no use of https which means that it can still be possible (for an ISP or network user) to identify the target websites.

SSL will also not aid if viruses or trojans are installed on the user’s computer system.

SSL search is nevertheless a step in the right direction. It is likely that Google will roll out encryption to some of their other services in the near future.

Google recently announced that they would role out an encrypted version of Google Search next week. The blog post was largely about the WiFi data collection that made news in the last days.

The fact that Google will enable https search is mentioned in one sentence in the large article explaining the WiFi fiasco.

Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search

The url https://www.google.com/ currently redirects to the standard Google search. It is likely that Google will make another post once the new feature has been enabled.

It will likely be only a matter of time until other search engines and websites (Facebook anyone) will start offering https for all connections to their sites as well.

The second issue that the Internet Recovery Kit addresses is broken SSL support which usually comes in the form of not being able to connect to HTTPS websites properly. This too can be problematic as many financial websites and shopping websites use https for improved security.

Rizone’s Internet Recovery Kit can be used to fix both issues that have been described in the last two paragraphs. All the user needs to do is to press the right button in the software program to initiate the fix. While there is no guarantee that the program can fix the problem the chance is good that it can.

Users who want to repair Windows Update and Automatic Updates on their computer system can press the Repair WU/AU button to do so. The program will display the progress in the log at the bottom of the interface. The log can also be used to analyse what has been done to fix the problem. The Repair SSL / HTTPS button on the other hand will initiate the repair of these components in the Windows operating system.

Rizone’s Internet Recovery Kit is compatible with Windows XP, Windows Vista and Windows 7. It is a fine addition for every computer repair toolkit thanks to its portable nature, ease of use and success rate.

There is one additional problem concerning websites that do offer HTTPS connections on most of their network but not everywhere. Mouser over at Donation Coder mentioned a hidden setting in the NoScript (check my Firefox security profile for additional information) add-on of the Firefox web browser allowing to force HTTPS connections for listed websites. This is helpful in a few cases. Some websites offer both HTTP and HTTPS connections to their servers. Another possibility are websites that make use of HTTPS connections but not on all pages.

Users with the excellent No Script add-on installed can configure sites to always use a secure https connection when they are visited. This option can be accessed by right-clicking the NoScript icon in the Firefox status bar, selecting Options from the context menu, clicking on the Advanced tab in the configuration and there on the HTTPS tab.

New websites or pages that should be forced to use secure HTTPS connections can be added to NoScript in there. The use of wildcards is possible. Users should however note that this will not work on all websites. It will obviously not work on websites that do not offer HTTPS. There are also sites that automatically redirect HTTPS requests to HTTP. Google.com is a prime example of this. If you add google.com to the list you will notice a never ending loop when opening that website because of NoScript trying to force HTTPS and Google redirecting to HTTP.

It was still possible to open the https website manually but Google does not force the use of https. There is however a setting in Gmail that is called Browser Connection (discovered via Sizlopedia) where the user can select to Always Use HTTPS when he connects to Gmail.

I highly recommend to enable that setting to everyone who is using Gmail as a mail client but especially to those users who use additional Google services that already force https usage.

You can reach the configuration menu by clicking on the Settings link in the top right corner of the Gmail account. Scroll down to the very bottom of the menu that is showing up after clicking on the link and check the Always Use HTTPS box.