HTTPS Everywhere WebExtension for Firefox

Martin Brinkmann
Jun 1, 2017
Updated • Jun 25, 2017
Firefox, Firefox add-ons

HTTPS Everywhere is a popular cross-browser extension that you may use to enforce the use of HTTPS on websites that support it.

While the extension does nothing for sites that use only HTTP or HTTPS, it is designed for those sites that support both protocols but don't enforce one or the other on its users.

This can be the case when a site tests the HTTPS rollout for instance but has yet to make the full switch to the secure protocol.

HTTPS Everywhere for Firefox is available as a legacy add-on currently only which the EFF released in 2010. While it works well in the latest stable version of Firefox, it will stop working when Mozilla releases Firefox 57.

Firefox 57 is a major release that ships with fundamental changes. One of these changes is that Firefox won't support legacy add-ons anymore. Any add-on that is not a WebExtension will be disabled when you upgrade your copy of the browser to that version.

While some developers have stopped development of their extensions because of this, others are working on porting them to the WebExtensions system to offer continued support.

HTTPS Everywhere WebExtension for Firefox

https everywhere firefox webextension

HTTPS Everywhere will be made available as a WebExtension eventually. You can grab and install a test version of the WebExtension version from this web page.

The developers note that the extension is to be considered unstable right now. I did not notice any issues whatsoever however during or after installation in Firefox 53 Stable.

The page lists three extensions currently, two to test upgrades to WebExtensions, and one that is the latest version of the WebExtension version of HTTPS Everywhere.

The add-on itself looks like a copy of the Chrome version, as it features the same interface as the Chrome version of HTTPS Everywhere.

The WebExtension version offers three main features right now:

  1. Enable or disable HTTPS Everywhere.
  2. Block all unencrypted traffic.
  3. Create custom rules for the current page.

The rules interface supports adding a new rule quickly, or adding an advanced rule. If you pick the latter, you get full control over the rule (what gets redirected to HTTPS).

Comparison to legacy HTTPS Everywhere on Firefox

legacy https

The legacy add-on HTTPS Everywhere for Firefox supports additional features that neither the Chrome extension, nor the Firefox WebExtension version of the add-on support at this point in time.

The menu lists two additional options to reset all to the default values, and to check all rules (which redirects to the HTTPS Everywhere website).

What is more important however is that HTTPS Everywhere for Firefox may use the organization's SSL Observatory. This feature may warn you  about insecure connections or attacks on the browser, and may send copies of HTTPS certificates to the Observatory for analysis (detecting man in the middle attacks, improving web security).

Closing Words

HTTPS Everywhere as a WebExtension for Firefox supports the core functionality. You can add and edit rules for sites, and use the rules that the extension ships with by default.

It is obviously a good thing that HTTPS Everywhere will continue to work in Firefox 57 and beyond. No word yet on the stable release of the WebExtension version. We will update the article once it becomes available.

Now You: do you use HTTPS Everywhere, or a comparable extension?

HTTPS Everywhere WebExtension for Firefox
Article Name
HTTPS Everywhere WebExtension for Firefox
We take a look at the WebExtensions version of the popular Firefox add-on HTTPS Everywhere which will replace the legacy add-on this year.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Daniel said on June 2, 2017 at 10:37 pm

    I still don’t understand which one should I choose. Please help.

    1. Tom Hawack said on June 3, 2017 at 10:44 am

      I’ve just totally removed ‘HTTPS Everywhere’ legacy add-on, totally cleaned up Firefox from about:config remainings, removed as well the HTTPSEverywhereUserRules user profile’s subfolder, then installed https-everywhere-2017.6.1.1337-eff.xpi (Latest test WebExtensions version).

      I could not add a custom rule for a site not handled already by ‘HTTPS Everywhere’, the HTTPSEverywhereUserRules user profile’s subfolder was not created, I nevertheless pasted back that backuped folder but the custom rules it included were not handled by ‘HTTPS Everywhere’ Webextension.

      ‘HTTPS Everywhere’ in its Webextension version, as it is now (https-everywhere-2017.6.1.1337-eff.xp) may run fine on Firefox 53 but here on Firefox 52.1.2 ESR 64-bit / Windows 7, it is is conform to its stage : beta.

      Restored backuped profile with ‘HTTPS Everywhere’ legacy add-on. Considering Webextensions are not yet mandatory, considering ‘HTTPS Everywhere’ as a Webextension does not, here, appear as 100% functional, I’ll stick on to the reliable legacy version for the time being.

    2. Martin Brinkmann said on June 3, 2017 at 5:43 am

      You pick the WebExtensions version.

  2. CHEF-KOCH said on June 1, 2017 at 6:57 pm

    This addon is almost useless now because more and more websites/domains automatically redirecting to https (if available) on wordpress https is default now since this year. I don’t get it why people installing addons which not really having any benefit except that it spy’s on you, in this case it sends all analyzed websites back to their servers (can be opt-in/opt-out) [observatory] which makes it very easy to identify your surf behavior. When Ms connects to their services.msc to receive root certificate updates people complaining that would be spying but here .. nothing. It’s always surprising that people are one one side worried and on the other side they install addons which collects metadata.

    I stopped using https-everywhere years ago and I not feel more/less secure. Theoretically you need exactly the opposite addon https-nowhere. to ensure you always use https and work with a whitelist.

    1. said on June 6, 2017 at 11:47 am

      What CHEF-KOCH says


  3. Clairvaux said on June 1, 2017 at 4:15 pm

    I use HTTPS Everywhere. I’ve been told that it’s a basic brick of a privacy setup, so a no-brainer really. Also, it’s included in Tor, so it must be good.

    However, I have never understood how to adjust it. I can’t make any sense of its rules nor of its menu.

    The first item is Enable/Disable rules. What “rules” ? I thought HTTPS Everywhere forced websites to use HTTPS when they had it implemented. That’s one rule, so there are no “rules”. Either it works, or it doesn’t.

    Then there’s View All Rules. OK, so maybe I’ll find what those rules are after all. I click on that, and I’m led to a “HTTPS Everywhere Atlas” Web page, always the same, which says : “Are you a website operator ? Click on a letter or search below to see domain names of sites (beginning with that letter) that HTTPS Everywhere rules affect.” Well, I’m not a website operator, so I guess that’s not for me, and I’m not allowed to see the “rules”.

    Besides, you’re telling me that you can’t guess what site I’m on right now, so I have to search manually among millions of websites starting with G to find what are the current rules applied to ? Are you kidding me ?

    When I use No Script (and that’s a horribly complex, user-hostile add-on), I just need to right-click on the webpage I’m on to see what are the rules currently applied to that site. So why can’t you do the same on an add-on which is, on the face of it, much simpler inside ?

    Then I click on the HTTPS Everywhere icon in search of a Help menu, an Options menu, a Preferences menu, something that maybe would lead me to explanations, but there’s nothing of the sort.

    Then I look for HTTPS Everywhere in the Add-ons panel of Firefox, I see five lines of text that offer no help of any sort — contrary to many add-ons which have detailed explanations there. There’s an Options button, so I click on that, and a totally unhelpful window opens which wants me to agree to have some info sent to some people. This is a privacy add-on and I’m a privacy-oriented user, so the answer is hell, no, stop bugging me with stupid requests. And still no Help button.

    Then I notice in the Add-ons panel a link to EFF website (not saying : go there to find some help), so I click on it., and it does lead to a FAQ about the add-on. Apparently the geniuses behind HTTPS Everywhere did not find it useful to stick a link to EFF online help in the add-on menu — that would have been too simple, too obvious. And there are about 50 of them — geniuses, I mean — credited in the About menu option ; they did not forget this one.

    So I try to use the online FAQ of HTTPS Everywhere, and navigate to “What do the different colors for rulesets in the Firefox toolbar menu mean ?”, which is the ONLY general item vaguely related to those blasted “rules” HTTPS Everywhere is serenading to me about, but obstinately refuses to tell me what they are.

    Then I stumble upon this extremely illuminating morsel :

    “Dark Green: ruleset was active in loading the resources in the current page. Light Green: …”

    How am I supposed to know what dark green and light green are, if you don’t even show me a sample of both ? You stupid, drooling “privacy activist” ? If, at least, you had selected green and yellow, the difference would have been obvious. But dark green and light green ?

    Then I go on to discover this :

    “Light Green : ruleset was ready to prevent HTTP loads in the current page, but everything that the ruleset would have covered was loaded over HTTPS anyway (in the code, light green is called a “moot rule”).”

    What ?!? What does that even mean ? And how on earth does it help me understand the concept and usefulness of “rules” in HTTPS Everywhere, which is the first item in the add-on menu ? What can I do with those rules, what should I do with them in order to be better protected, how are they useful to me, how would I use them ? That’s what I want to know.

    Then I find there’s a chapter named “HTTPS Everywhere Rulesets”. Aha. So there’s the explanation coming. It says :

    “This page describes how to write rulesets for HTTPS Everywhere…”

    I DON’T WANT TO WRITE RULESETS, YOU DUMMY ! I’m not a developer, I’m a user ! You write the program, and I use it ! I click on things, but YOU are supposed to write them !

    And then we have :

    “A ruleset is an XML file describing behavior for a site or group of sites. A ruleset contains one or more rules. For example, here is RabbitMQ.xml…”

    At which point, I quit trying to understand anything at all about HTTPS Everywhere beyond simply running it, after maybe one hundred attempts.

    And please remember that’s an add-on developed by EFF, which is supposed to explain privacy and security to the masses — not to some Linux geeks lacking social skills and taking a shower only when there’s a new Firefox version. So I do have to agree with Tom Hawack when he says : “I believe it is more in terms of its social and political action then throughout its applications which don’t correspond — to what I’ve been told and may possibly confirm as a simple user — to a coding expertise.”

    At the very least, those people don’t have the slightest idea of what a user interface is. The only other EFF add-on I’ve used is Privacy Badger, which I uninstalled because it broke too many sites and wasn’t obvious to use at all.

    1. Charlie said on June 1, 2017 at 8:02 pm

      Actually Clairvaux’s write-up is one of the best critiques of programming that I’ve read anywhere. He/she nailed it.
      And I use Privacy Badger – but I have had to disable it for several web sites that I’ve visited.

    2. Tom Hawack said on June 1, 2017 at 5:43 pm

      ‘Enable/Disable rules’ is simply the possibility to disable one of the sites listed after by clicking on it in order to have that site disable in HTTPS Everywhere’s list. That rule will be recorded in the user’s about:config in extensions.https_everywhere.rule_toggle.[RULE] so typing extensions.https_everywhere.rule_toggle. is a good way to have a quick look on disabled rules. Note that re-enabling a disabled rule won’t remove it from about:config but only set it from false to true, but resetting it manually in about:config will remove it => a rule set to true is the same as no rule in

      As for the Atlas I guess it’s first purpose is to inform the user on a given site’s https abilities more particularly when the user is surprised to not have a site appear in https and wondering if he should set a rule himself : several/many sites may be https-ready on the home-page but not included by HTTPS Everywhere because setting the whole site to https would have issues with other pages …

      As for the toolbar icons, because I have color problems, because generally speaking many add-ons (HTTPS Everywhere included) propose lousy icons, I then set a css file to replace thel with my owns, i.e. for HTTPS Everywhere :

      #https-everywhere-button[state=”inactive”] .toolbarbutton-icon {list-style-image: url(file:///g:/FF.MICHEL/chrome/Icons/HTTPSEVERYWHERE_icon-inactive.png)!important;}
      #https-everywhere-button[state=”active”] .toolbarbutton-icon {list-style-image: url(file:///g:/FF.MICHEL/chrome/Icons/HTTPSEVERYWHERE_icon-active.png)!important;}
      #https-everywhere-button[state=”disabled”] .toolbarbutton-icon {list-style-image: url(file:///g:/FF.MICHEL/chrome/Icons/HTTPSEVERYWHERE_icon-disabled.png)!important;}
      #https-everywhere-button[state=”blocking”] .toolbarbutton-icon {list-style-image: url(file:///g:/FF.MICHEL/chrome/Icons/HTTPSEVERYWHERE_icon-blocking.png)!important;}
      #https-everywhere-button .toolbarbutton-icon {padding:0 !important;}
      #https-everywhere-button #rscounter {display: none !important;}

      That way I see nice, obvious icons. Can anyone imagine a cockpit or a nuclear plant control room with fantasy buttons? Same with toolbar icons : they need to be explicit, clear, obvious, especially when, as me, your browser has many of them.

  4. The dude said on June 1, 2017 at 2:11 pm

    Where is he? Where is he?
    How come he don’t have his say on this article?

  5. Tom Hawack said on June 1, 2017 at 2:04 pm

    This article reminding me ‘HTTPS Everywhere’ when, as I mentioned above, I had replaced it with ‘Smart HTTPS’, just brought to my attention something I had in mind for some time and never checked : ‘Smart HTTPS’ will indeed always open a site via https and revert to http if https is refused, but what about external calls?

    I tested an http-only site ( which calls, and Theses 3 sites are accessible via https but calls them via http.

    Running ‘Smart HTTPS’ the three called sites are not called via https, which means that ‘Smart HTTPS’ does not handle “called sites” (external sites/cross-sites, whatever you call them). I’ve removed ‘Smart HTTPS’ and installed ‘HTTPS Everywhere’ latest version 5.2.17, then opened above mentioned, and this time all 3 https-ready were called via https.

    This is important I think. It means that ‘Smart HTTPS’ does not handle cross-sites when ‘HTTPS Everywhere’ does.
    So it is. Wouldn’t have been this article I may very well not (never) have checked this possible issue. Should it be for this only I believe I’ll switch back to ‘HTTPS Everywhere’, that is keep it installed.

    The idea is : it’s not because a site is http only that we shouldn’t consider the advantage of having sites called be called via https when available, and ‘HTTPS Everywhere’ handles those as well.

    1. Tom Hawack said on June 1, 2017 at 2:25 pm

      I’m editing my post, not schizophrenic! … The RAM issue with ‘HTTPS Everywhere’ here on Firefox 52.1.2 ESR 64-BIT / Windows 7 : after having uninstalled ‘Smart HTTPS’, cleaned up all, Task Manager showed that Firefox occupied 265MB at start of course — After installing ‘HTTPS Everywhere’ Firefox at start took 332MB hence +37MB. Start-up time is maybe a tiny bit slower, not sure, just a feeling … but if so hardly noticeable.

      1. Grrrrrr said on June 1, 2017 at 7:48 pm

        Damnit, that ad was not caught by uBlock!

        Another reason 3rd-party resources like and similar should go through HTTPS is that they are among the most likely resources to be tampered with by an adversary, since they are loaded by a great many sites.

        Personally I just run uBlock in hard mode for my main solo profile, so third parties are of little concern. I wouldn’t go that far for guests though.

      2. Tom Hawack said on June 1, 2017 at 3:50 pm

        @Richard Allen, +67 or 295 instead of 265…. the answer after this ad break …
        … 295MB which raised to 332MN with HTTPS Everywhere :) better brains than typing aptitude, obviously :)

      3. Richard Allen said on June 1, 2017 at 3:29 pm

        332MB minus 265Mb =? 67MB? The Shame. The Horror. ;)

  6. TelV said on June 1, 2017 at 12:55 pm

    I created a new Firefox profile last week due to some issues with the old one and completely forgot to reinstall HTTPS.

    I’ve done that now, but don’t see the same type of dropdown menu you have in your screenshot Martin. The one I have doesn’t have any boxes which can be checkmarked and is difficult to see which sites it’s been enabled for at first glance. Here’s a screenshot of it:

    I had to click several times to turn it green which I presume means it’s been enabled for your site now.

  7. Nebulus said on June 1, 2017 at 12:19 pm

    In a normal usage scenario, I don’t see the need for HTTPS on a regular site (one that doesn’t use login info or other kind of sensitive information). As a result an extension like HTTPS Everywhere is not useful for me so I do not use it.

    1. George W. Tree said on June 1, 2017 at 1:22 pm

      Safeguard against man-in-the-middle attacks, a scenario that used to be unrealistic, but not any more. I think US and UK have mass scale sniffing in place, which is a type of passive man-in-the-middle, but HTTP makes active MITM just a matter of political decision made by countries through which your traffic goes.

      I don’t force HTTPS through an extension yet but I’m starting to seriously consider it. For now I’m letting Mozilla and Google slowly force HTTPS by default on everyone, this way no extension needed. But the info war and cyber war, and related laws in general have gotten worse in the last year or two, so maybe I won’t wait.

  8. Richard Allen said on June 1, 2017 at 11:08 am

    Installed on FF ESR with e10s enabled, processCount set to 2. No problems with functionality but I was really hoping for a reduction in memory use and less of an effect on browser startup time. I didn’t check the page load times but times seem slower and I’m positive bandwith is not an issue on my end. I’ve always wanted to be able to use HTTPS Everywhere but it just sucks the life out of browser performance. Browser startup is 1 to 1.5 seconds slower. Open the browser with one tab (StartPage) and memory use is 122% higher. 588MB vs 265MB without the extension. Seriously? Six tabs 93% higher. 691MB vs 358MB without. Sure, I’ve got enough memory to deal with it but what is going on?
    Win7 Pro, Intel Core i-5 @ 3.2-3.4GHz, 16GB ram, Sandisk Extreme Pro ssd.

    1. Tom Hawack said on June 1, 2017 at 11:56 am

      This is a mystery. I’ve read users having experienced the same issues as you (start-up time, RAM) and others (myself included when I was using ‘HTTPS Everywhere’) who would report no extra start-up delay and not even an extra 100MB, as Martin noted, when personally RAM would raise here but by 20MB or so.

      This is really strange and after so many years I still don’t know how so different results can appear. What I can say, for what it’s worth, is that I don’t use disk cache and that I’ve set memory cache to 1GB (that’s Giga indeed). I have my Firefox profile set on a RAM disk occupying 160MB out of an 8GB system RAM. This is for basic info because from there on I see no obvious relationship. Frankly, I remain puzzled.

      But, Richard, maybe your Firefox browser would be better fitted with the ‘Smart HTTPS revived’ I mentioned above, at least you’d be sure of no extra start-up & RAM issues.

      1. Tom Hawack said on June 1, 2017 at 3:39 pm

        @Richard Allen, you’re certainly far more aware than I am considering your ease with technical matters, explicit. Moreover your system is more powerful than mine not to mention twice as much RAM. Side-note : I guess we all experience the fact that more we have, less we have to struggle for and less we take the time to dig into those more or less internal settings which can bring a lower system sometimes close to a higher one when not optimized :) I’ve even been told that this very scheme has let human beings emancipate from their ancestors!

        Let’s do it!

      2. Richard Allen said on June 1, 2017 at 3:22 pm

        Out of curiosity I installed HTTPS Everywhere in Nightly, default processCount. Separate profiles. Prior to install had 6 extensions, 4 of which are legacy. 1 tab memory had an increase of 87MB, with 6 tabs memory increased by 68MB. Zero impact on browser startup time. Whoop whoop! I use most of the about:config modifications in Nightly that are used in FF ESR. So… I’m thinking the 320+MB increase seen in FF ESR could be an incompatibility with another add-on or combination thereof. Who knows.

        I’m not going to worry about man-in-the-middle attacks, packet sniffing aka DPI (Deep Packet Inspection). When I get to that point I’ll start using a VPN. In the last year a lot of the websites I frequent have moved to https and it will only get better. Uninstalled HTTPS Everywhere from FF and Nightly.

        A last thought for anyone that wants to experiment. I always, always make a copy of my profile folder when taking new add-ons for a test-drive. If it doesn’t work out, for whatever reason, I can then replace the profile folder with the original. I’m slow, it took me a few years to figure that out. ;)

        @Tom Hawack
        Appreciate the input. For disk cache I use 150MB and it probably gets wiped ‘at least’ once a week and memory cache I don’t worry about. I find the use of a ram disk very interesting but I’m much too lazy to move beyond the research I’ve done. With a decent four-core processor and a fast ssd everything for me works Very fast as it is. Maybe in the future when I get bored. ;)

      3. George W. Tree said on June 1, 2017 at 1:13 pm

        The extra-RAM thing did not surprise me until you said there was no increase for some people. List-based add-ons like ad blockers necessarily add to the memory footprint. If some people get low RAM increase maybe HTTPS Everywhere has different modes where it uses various amounts of rules ? I wouldn’t know since I don’t use it.

        For Smart HTTPS, non-list based may or may not provide as good of a security. I remember back in the day that EFF decided against this solution and could not avoid building a list, which is much more inconvenient for them to maintain. Reason was that for some sites you can’t simply add an S to the HTTP to get secure, even when the site appears to load fine. At the time, Google was a good example where did not have the level of security and confidentiality of, an URL that AI-based add-ons would not catch. Maybe Smart HTTPS developer made a comment to address this point, I’d be curious to know.

    2. Martin Brinkmann said on June 1, 2017 at 11:20 am

      You are right, the extension adds quite a bit of memory use to Firefox. About 100 Megabyte in my case with all other factors remaining the same.

      1. Richard Allen said on June 1, 2017 at 11:35 am

        I’ve tried HTTPS Everywhere a few times over the years and the increase in memory use has always been Very high. I haven’t figured out why but something in my configuration just doesn’t agree with it. I use 15 extensions and most of those I’ve used for years. The only add-on I use that does anything to network requests is uBO. Maybe something in my about:config. If I ‘only’ saw a 100MB increase in memory use I would use it. ;)

  9. wybo said on June 1, 2017 at 10:43 am

    I have used HTTPS Everywhere quite a while now. I just downloaded it from the EFF site. Happy with it and I am glad that a webextensions version is released.

  10. Tom Hawack said on June 1, 2017 at 10:26 am

    I had switched from ‘HTTPS Everywhere’ to ‘Smart HTTPS’ and it runs fine. I’m using in fact the ‘Smart HTTPS (revived)’ Firefox add-on which is both a Webextension and e10 compatible. Fast and won’t miss one single https provided of course the site supports it. It’s smart indeed because it doesn’t rely on a list but simply on the site’s support of https. Moreover, generally speaking and this is my very personal opinion, if EFF is a major actor of users’ privacy and security I believe it is more in terms of its social and political action then throughout its applications which don’t correspond — to what I’ve been told and may possibly confirm as a simple user — to a coding expertise.

    1. jasray said on June 1, 2017 at 3:12 pm

      Yes, I noticed one day that “HTTPS Everywhere” wasn’t enforcing the https:// protocol on sites that may open with the simple http:// which is what I thought the extension was supposed to do–open all sites in https://. Found “Smart HTTPS” and installed. Now all sites open in https:// [or at least the ones I noticed were opening regular http://]. Maybe I don’t understand the add-on, but the idea of an add-on named “HTTPS Everywhere” conveys to a user that with the add-on installed, one can be assured that sites will open https://.

      1. Tom Hawack said on June 1, 2017 at 4:51 pm

        @jasray, true, but,

        1- https-ready sites not handled by ‘HTTPS Everywhere’ (not in its list) can be added manuall by the user with a simple rule set as an xml file in the dedicated ‘HTTPSEverywhereUserRules’ sub-folder in the user’s profile;

        2- ‘Smart HTTPS’ doesn’t handle external calls, as I mentioned after my above comment.

        This is quasi live and moreover such as consequent when the whole article gets one to modify his approach given his reconsideration of his own settings, as myself.

        Considering my u-turn regarding ‘Smart HTTPS’ verses ‘HTTPS Everywhere’ detailed after my above comment, it appears that when I mentioned EFF as better qualified for political action than for coding… I was totally wrong! That’s my little smiling joke to bypass my embarassment :)

  11. Mike S. said on June 1, 2017 at 8:38 am

    I tried it a few days ago. I literally had to manually refresh every new link/tab to get the desired page to show. Obviously, I removed it post-haste.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.