HTTPS Everywhere: ruleset updating without extension updates
A new version of the HTTPS Everywhere browser extension introduces a new feature that separates ruleset updates from extension updates.
HTTPS Everywhere is a security extension that is available for Firefox, Chrome, Opera and the Tor Browser. The extension enforces HTTPS connections on sites that support it to improve security and privacy.
We reviewed the first version of the extension released in 2010, and have followed it ever since.
Once installed, it checks whether any site the browser connects to is on the extension's ruleset file. If it is, HTTPS is enforced for the site.
The current version of HTTPS Everywhere includes a set of more than 23,000 rules for sites that support HTTPS.
Previously, the Electronic Frontier Foundation, makers of HTTPS Everywhere, had to release a new version of the extension whenever it wanted to distribute a new ruleset file. Even if the extension itself did not change at all, it had to be updated to distribute the new ruleset to all installations.
The process was impracticable for a number of reasons: a new version has to be created and uploaded to extension stores, extensions have to pass validation, and updates reach users only if they have not disabled extension updates.
The new system separates extension updates from ruleset updates similarly to how content blocker handle updating content blocking lists.
HTTPS Everywhere checks for ruleset updates periodically and downloads them if updates are available. Rulesets are signed by the EFF and verified using the Web Crypto API to make sure that they are legitimate before they are updated in the browser.
Users and administrators may disable the automatic updating of rulesets in the extension settings. Firefox users, for example, open about:addons in the browser, click on the options button next to HTTPS Everywhere, and remove the checkmark from "Auto-update rulesets" to do so.
The initial version of the feature transfers the entire ruleset file to the browser when updates happen. The EFF plans to improve the functionality so that only the changes between editions are transferred and not the entire ruleset file.
The new HTTPS Everywhere 2018.4.3 is available for download on all supported extension stores and as in-browser updates.
Now You: Do you use HTTPS Everywhere?
HTTPS Everywhere is no longer compatible with out-of-the-box Pale Moon, and its Pale Moon fork, Encrypted Web, is abandoned and not supported on Pale Moon 27+. You can supposedly install HTTPS Everywhere using the Moon Tester Tool … but the caveat that installing stuff that way might break your browser isn’t exactly encouraging. I’ll have to think about it … and I’ll definitely back up my profile before trying.
On my Chrome 66.0.3359.66 (Official Build) beta (64-bit) HTTPS Everywhere conflicts with uBlock Origin with an extension error :
This extension failed to redirect a network request to chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/web_accessible_resources/d363525161c56887ceebe5e72ed4ef31.javascript?secret=hxmmial79o9g because another extension (HTTPS Everywhere) redirected it to https://c.amazon-adsystem.com/aax2/amzn_ads.js.
IMO HTTPS Everywhere is one of those add ons that made sense back in the early days of HTTPS nowadays however it is irelevant and offer little if any – false sense- of security & privacy, additionally it’s quite heavy on resources, not to mention that i’ve seen plenty of malware ridden sites with HTTPS encryption.
That’s definitely wrong, with HTTPS Everywhere you get the SAME benefits as if the site was setup with an HSTS preload (for sites that have HTTPS Everywhere rulesets), that means that you don’t even fetch over HTTP to begin with. (Also it has a speed advantage as you don’t waste time with the intial http-> https redirect, if it exists)
I personally don’t see the point of this extension anymore, definitely not in my case. Without breaking out a calculator, it looks to me like the websites I visit using https are easily in the mid to upper 90 percentile range. And the only interaction I have with any sites not using https is just viewing content. I don’t use my ISP’s DNS service so it they or a government entity wants to go through the hassle of sniffing packets to see the content they are welcome to it. Pervs. :)
Not worth the resources it uses IMO, at least not here in the “Wild West”. Maybe in eastern Europe or Asia, I don’t know how prevalent the use of HTTPS is there. On AMO, looks to me like one quarter of one percent of all FF users are using HTTPS Everywhere. I would call that a niche product, just saying.
Is there any point in having this extension, considering that sites which have https let your browser connect as such? Sites that only have http cannot be forced by HTTPS Everywhere.
Don’t believe in Jessica.
There’s no point, unless the webmaster allows visitor to access the site via HTTP too.
https://en.wikipedia.org/wiki/HTTPS_Everywhere
Don’t believe in me because of what? The first paragraph of the article on the wiki states exactly what I said, it’s only worded differently.
Klaas, some sites support HTTP and HTTPS, for instance while they are in the process of migrating to HTTPS exclusivity.
Hello Martin,
I see that you too use uBlock origin. I was wondering if I need to install ‘WebRTC’ addon? Cuz, uBlock origin already has an option of blocking webrtc… let me know, please. :) Thank you.
OK Martin, thanks, HTTPS Everywhere then makes sense. I have reinstalled it.
Yes, because a site being accessible via HTTPS does not mean that it establishes the connection that way by default.
I’ve been using it ever since I can remember. But as I understand it, HTTPS Everywhere can’t convert a non-SSL site into a SSL. That’s probably why http://mozillazine.org/ remains unencrypted while https://mozillazine-fr.org/ is encrypted. I assume they’re both the same since they use the same logo banner at the top of their respective sites.
Regarding
Longevity of ghacks.net
Ghacks Lovers there may be a Win Win Option to increase Support to the Ghacks website. I ask anyones opinion about it. Firefox has an addon
A firefox addon that “Blocks ads Yet Supports the Websites You Visit*” designed to Obfuscate browsing Data and Protect users From Tracking by advertising networks
https://addons.mozilla.org/en-US/firefox/addon/adnauseam/
ps. I know there are people here that could validate(or not) this claim
I for one Hope that it is really true, would be so great!!
or
nudge, nudge maybe martin could make his own ;)
They are not the same.
https://whois.icann.org/en/lookup?name=mozillazine.org
https://whois.icann.org/en/lookup?name=mozillazine-fr.org
Odd that they should use the same banner ID at the top of the page then.