How To Force HTTPS Connections
The Firefox add-on Firesheep demonstrates that regular connections are insecure.Internet users who connect via http to sites and services on the Internet from public networks run the risk that their information are stolen and recorded in the process.
To put it in layman terms: You may be vulnerable to this kind of data snooping if you see http and not https in your browser's address bar.
Http is bad and https is good for privacy and security reasons. That's all there is to it. Most services allow both http and https connections to their sites: Facebook is an example.
There are services, like Gmail, Google's email service, that only allows https connections and will redirect http requests to https for increased security and privacy.
This tutorial takes a look at some of the possibilities to force https connections which is useful if a site supports both.
The NoScript add-on is the best option for the Firefox web browser. The add-on's primary function is to block scripts from being executed automatically.
It offers several additional options to improve security however and one of them is the option to configure the browser to always use https connections for specific sites.
To open the preference, select Options from the status bar icon context menu and then Advanced > HTTPS in the NoScript window.
Here it is possible to add sites where https should always or never be used.
Facebook users would simply add facebook.com in the force text area. All connections to facebook.com from that moment on will be automatically redirected to https.
If you enter http://www.facebook.com/ in the browser to log into Facebook you will be redirected to https://www.facebook.com/ automatically. The same is true for all other pages on Facebook that use that address. Please note that you may have to add additional domains a service may use.
Update: Please note that you need to keep the pulldown menu below Forbid active web content unless it comes from a secure (HTTPS) connection to Never, which is the default setting.
If you don't want to use NoScript you can use HTTPS Everywhere instead which offers similar functionality.
As far as I know, there is not a comparable solution for the Google Chrome browser. There are however a few alternatives. The first is explained in the article Use Google Chrome For Secure Web Browsing. Google Chrome has a startup parameter called --force-https. If you start Chrome with that parameter only https connections are allowed. This makes the majority of websites inaccessible on the other hand.
Chrome does have a few extensions that force SSL for specific sites. Extensions are for instance available for Facebook
Use HTTPS is a Chrome extension that can be used to configure specific sites to always use HTTPS connections.
Update 2: you can also install HTTPS Everywhere, an excellent extension for Chrome to force HTTPS connections.
Opera 11 alpha which has been released recently supports extensions. One of the extensions that is available for the web browser is Security Enhancer. It forces https connections on a few sites including Twitter and several Google services. The extension has a bug currently where the http page is fully loaded before the redirection to the https page. There is also no option to add other sites to the listing.
Still, considering that it is an early version there is hope that the developer continues to improve the extension to resolve the bug and add customization.
Update: If you are using the new Opera browser, use HTTPS Everywhere instead for it. It is a browser extension that adds the functionality to it.
There is a user script for Internet Explorer to force https on Facebook, but that's it. There does not seem to be another option.
Firefox and Google Chrome benefit immensely from add-ons and extensions. In this case, they are the only two browsers with options to force https connections on custom websites. Opera is going to get an extension eventually that will add this functionality as well.
Update: The script is not available anymore.
Did I miss an option? Let me know in the comments.Advertisement