How To Force HTTPS Connections
The Firefox add-on Firesheep demonstrates that regular connections are insecure.Internet users who connect via http to sites and services on the Internet from public networks run the risk that their information are stolen and recorded in the process.
To put it in layman terms: You may be vulnerable to this kind of data snooping if you see http and not https in your browser's address bar.
Http is bad and https is good for privacy and security reasons. That's all there is to it. Most services allow both http and https connections to their sites: Facebook is an example.
There are services, like Gmail, Google's email service, that only allows https connections and will redirect http requests to https for increased security and privacy.
This tutorial takes a look at some of the possibilities to force https connections which is useful if a site supports both.
Mozilla Firefox
The NoScript add-on is the best option for the Firefox web browser. The add-on's primary function is to block scripts from being executed automatically.
It offers several additional options to improve security however and one of them is the option to configure the browser to always use https connections for specific sites.
To open the preference, select Options from the status bar icon context menu and then Advanced > HTTPS in the NoScript window.
Here it is possible to add sites where https should always or never be used.
Facebook users would simply add facebook.com in the force text area. All connections to facebook.com from that moment on will be automatically redirected to https.
If you enter http://www.facebook.com/ in the browser to log into Facebook you will be redirected to https://www.facebook.com/ automatically. The same is true for all other pages on Facebook that use that address. Please note that you may have to add additional domains a service may use.
Update: Please note that you need to keep the pulldown menu below Forbid active web content unless it comes from a secure (HTTPS) connection to Never, which is the default setting.
If you don't want to use NoScript you can use HTTPS Everywhere instead which offers similar functionality.
Google Chrome
As far as I know, there is not a comparable solution for the Google Chrome browser. There are however a few alternatives. The first is explained in the article Use Google Chrome For Secure Web Browsing. Google Chrome has a startup parameter called --force-https. If you start Chrome with that parameter only https connections are allowed. This makes the majority of websites inaccessible on the other hand.
Chrome does have a few extensions that force SSL for specific sites. Extensions are for instance available for Facebook
Update
Use HTTPS is a Chrome extension that can be used to configure specific sites to always use HTTPS connections.
Update 2: you can also install HTTPS Everywhere, an excellent extension for Chrome to force HTTPS connections.
Opera
Opera 11 alpha which has been released recently supports extensions. One of the extensions that is available for the web browser is Security Enhancer. It forces https connections on a few sites including Twitter and several Google services. The extension has a bug currently where the http page is fully loaded before the redirection to the https page. There is also no option to add other sites to the listing.
Still, considering that it is an early version there is hope that the developer continues to improve the extension to resolve the bug and add customization.
Update: If you are using the new Opera browser, use HTTPS Everywhere instead for it. It is a browser extension that adds the functionality to it.
Internet Explorer
There is a user script for Internet Explorer to force https on Facebook, but that's it. There does not seem to be another option.
Firefox and Google Chrome benefit immensely from add-ons and extensions. In this case, they are the only two browsers with options to force https connections on custom websites. Opera is going to get an extension eventually that will add this functionality as well.
Update: The script is not available anymore.
Did I miss an option? Let me know in the comments.
Advertisement
im honestly not sure DoggyDude96a knows what he/she is talking about.
His metaphors does not seem to be applicable at all, but he/she sure does not put in any technical stuff which makes me wonder if he even know any technical stuff or more just repeated what somebody once told him.
DoggyDude96a I sincerely hope that 96 in your username is your YOB. because if you happen to be an *IT EXPERT* as you have signed off.. I wouldn’t cry a tear for the company you work for or the person who mentored you!! They do deserve what they have bargained.
The whole premise of using HTTPS is to make sure that no 3rd party without a motherload of snooping prowsess can ever snoop into the data thats spewing forth from your device while connecting to the server at the other end.
When you do grow up and have a bank account you will realize that you would rather have the bank see your login credentials, not the guy sipping coffee , sitting across you in starbucks. Now think of email instead of the bank login credentials, and you will, in future, when you do grow up, relaize that information is atleast as important and expensive as the money in your bank account.
sig: NotanExpertJustaUser
I WORK for Banks (Banks plural)! If you, “NotanExpertJustAUser” where to read my post you would understand what its explaining.
If you commit to (or force) HTTPS for your search results your ensuring that the search provider (or whatever destination) can tie those results and the search phrases to your consuming machine, just as HTTPS was designed to do (and yes, it also reduces the attack footprint to a man-in-the-middle attack). When your using HTTPS to access your Bank however, your, hopefully, WANTING the bank to be damn sure its you and if its someone else to be able to track and trace them.
So, like I say, weight up what is more important. Is it more important that no one (outside the destination) can snoop your searches and results (HTTPS), in exchange for the destination profiling your every activity and assembling a highly profitable marketing database of YOUR specific data used to target ad’s and more search results to you, OR is it nicer to be an unidentifiable face in a festival crowd (HTTP), where others MIGHT witness your attendance, or snap off a photo, but no one is guaranteed to know your there nor to try and generally sell the fact you attended for their profit.
Use protocols appropriately. If its something which needs to be secure, like a Bank transaction, don’t allow HTTP. If its just your personal search because you love some pop star, use HTTP, unless you want targeted ad’s and custom results based on anything and everything you type (and yes, its still possible for people to track you in HTTP, its just a lot harder to be certain).
lol this “DoggyDude96a” guy, what a moron. you really have no idea how internet protocols work.
HTTPS is secure. Secure = Traceable = Tracked.
If you use HTTPS your giving the destination your full trust.
People, in their concern for imagined or casual spying instead surrended the keys to their house to websites by using HTTPS. There is not contension that HTTPS is more secure, it does greatly decrease the content of your traffic being intercepted. Ask yourself though, what are you more concerned about:
1) Google profiling you for THEIR profit (e.g. reselling legally anything you submit to them / do with them). If you use HTTPS Google can not only tie information down to you but also accurately down to your machine (and if you login to google to your online profile which will be linked to the machine). So, they have more than sufficient information to tie you down.
or
2) Some random stranger who doesn’t know who is really using that unidentifiable computer out there in the cloud.
If your using HTTP, yes your traffic is unencrypted, but typically (if you use In-Private browsing modes or a proxy server) all your traffic is only linked against your IP address which might potentially be shared with 10’s of others.
Wake up Neo! Don’t support public servers enabling HTTPS to better track and sell your information (and prevent competitors using the information). Just browse anonymously and let anyone use the infromation.
sig. An.. IT expert.
Thanks for this, the Use HTTPS for Chrome has proven to be very helpful.
Chrome extension is available at http://bit.ly/https-evr
I don’t know why it’s not already default in innovative browsers like chrome, ff and opera that ssl is enforced whenever possible.
It would be a huge plus in security, and sicne it’s a security issue, it shouldn’t be handled by extensions and alike.
Maybe a integrated ssl enforcement could be a door for exploits?
Anyway, an extension most likely will be that, and since the guy who wrote NoScript did something evil (I forgot what exactly but you can just google it) I don’t trust him or his software anymore, and I don’t want any extension that is in control of my security options.
Dunno bout ff and chrome, but when I enter https in the url of site that doesn’t support ssl it just loads the normal http version.
So it shouldn’t be an issue to have it try ssl first, or at least have that as an option.
I couldn’t tell a delay in loading…
I want to force Adsense to go through HTTPS
https://chrome.google.com/extensions/detail/hgnokomidnmbklcnmongappmfklabemf?hl=en
Works for all sites that have https, just add them to the list.
Great blog! I genuinely love how it is easy on my eyes as well as the details are well written. I am wondering how I can be notified whenever a new post has been made. I have subscribed to your rss feed which need to do the trick! Have a nice day!
KB SSL Enforcer is a great extension for chrome. It will try to surf https over http everywhere you go, keeps a whitelist of where it works, and a blacklist of places it doesn’t.
If you change the setting from Never to Always it wil screw up your visit to some sites. Also, adding sites one-by-one isn’t really the answer.
I know that always will screw up some sites. I did activate it as a test though.
Google Chrome has also Fidelio extension :
Forces secure connections and secure cookies on sites specified by the user in the options page.
By default twitter.com and facebook.com are enabled.
The method used means that there is no cookie leak in the initial HTTP request, since cookies are re-written with the secure flag set.
http://github.com/nikcub/fidelio#readme
Yes, you did miss an option for Windows (no need for browser add-on :
FireShepherd
Firesheep. Created to demonstrate our vulnerability on public wireless networks, but still a viable way for prying eyes to assume your identity. Enter FireShepherd, a Windows application that jams Firesheep to keep your browsing private.
FireShepherd is a tiny program that will work automatically once opened. Download it here. It operates simply—filling your current wireless network with benign junk data that tricks Firesheep into thinking it’s latched onto your personal info—and crashing it in the process.
So, it’s simple. Logging in at the library? At Starbucks? Pop open FireShepherd and browse in (relative) safety
http://gizmodo.com/5676841/how-to-keep-hackers-from-hijacking-your-accounts-with-firesheep?skyline=true&s=i
Well, that is only working if the attacker is using Firesheep, if not, the program is useless.
HTTPS Everywhere for Firefox is probably the best option. I don’t like NoScript.
https://www.eff.org/https-everywhere
writing facebook.com does not work,rather the site shows javascript is disabled.Anyway if I type https://facebook.com then after login it redirects to http://facebook.com/home.php.Isn't it useless then ?
sami it works fine for me, maybe you have not enabled scripts for Facebook in noScript?
Shouldn’t Mozilla ban Firesheep already?
Well Firesheep is only one way of snooping on connections, there are others as well.