HTTPS Everywhere: ruleset updating without extension updates

Martin Brinkmann
Apr 4, 2018
Updated • Apr 4, 2018
Internet
|
16

A new version of the HTTPS Everywhere browser extension introduces a new feature that separates ruleset updates from extension updates.

HTTPS Everywhere is a security extension that is available for Firefox, Chrome, Opera and the Tor Browser. The extension enforces HTTPS connections on sites that support it to improve security and privacy.

We reviewed the first version of the extension released in 2010, and have followed it ever since.

Once installed, it checks whether any site the browser connects to is on the extension's ruleset file. If it is, HTTPS is enforced for the site.

The current version of HTTPS Everywhere includes a set of more than 23,000 rules for sites that support HTTPS.

Previously, the Electronic Frontier Foundation, makers of HTTPS Everywhere, had to release a new version of the extension whenever it wanted to distribute a new ruleset file. Even if the extension itself did not change at all, it had to be updated to distribute the new ruleset to all installations.

The process was impracticable for a number of reasons: a new version has to be created and uploaded to extension stores, extensions have to pass validation, and updates reach users only if they have not disabled extension updates.

The new system separates extension updates from ruleset updates similarly to how content blocker handle updating content blocking lists.

HTTPS Everywhere checks for ruleset updates periodically and downloads them if updates are available. Rulesets are signed by the EFF and verified using the Web Crypto API to make sure that they are legitimate before they are updated in the browser.

Users and administrators may disable the automatic updating of rulesets in the extension settings. Firefox users, for example, open about:addons in the browser, click on the options button next to HTTPS Everywhere, and remove the checkmark from "Auto-update rulesets" to do so.

The initial version of the feature transfers the entire ruleset file to the browser when updates happen. The EFF plans to improve the functionality so that only the changes between editions are transferred and not the entire ruleset file.

The new HTTPS Everywhere 2018.4.3 is available for download on all supported extension stores and as in-browser updates.

Now You: Do you use HTTPS Everywhere?

Summary
HTTPS Everywhere: ruleset updating without extension updates
Article Name
HTTPS Everywhere: ruleset updating without extension updates
Description
A new version of the HTTPS Everywhere browser extension introduces a new feature that separates ruleset updates from extension updates.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. A different Martin said on April 5, 2018 at 9:50 pm
    Reply

    HTTPS Everywhere is no longer compatible with out-of-the-box Pale Moon, and its Pale Moon fork, Encrypted Web, is abandoned and not supported on Pale Moon 27+. You can supposedly install HTTPS Everywhere using the Moon Tester Tool … but the caveat that installing stuff that way might break your browser isn’t exactly encouraging. I’ll have to think about it … and I’ll definitely back up my profile before trying.

  2. ilev said on April 4, 2018 at 5:52 pm
    Reply

    On my Chrome 66.0.3359.66 (Official Build) beta (64-bit) HTTPS Everywhere conflicts with uBlock Origin with an extension error :

    This extension failed to redirect a network request to chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/web_accessible_resources/d363525161c56887ceebe5e72ed4ef31.javascript?secret=hxmmial79o9g because another extension (HTTPS Everywhere) redirected it to https://c.amazon-adsystem.com/aax2/amzn_ads.js.

  3. lihberg said on April 4, 2018 at 3:18 pm
    Reply

    IMO HTTPS Everywhere is one of those add ons that made sense back in the early days of HTTPS nowadays however it is irelevant and offer little if any – false sense- of security & privacy, additionally it’s quite heavy on resources, not to mention that i’ve seen plenty of malware ridden sites with HTTPS encryption.

    1. beenfits said on April 5, 2018 at 5:07 pm
      Reply

      That’s definitely wrong, with HTTPS Everywhere you get the SAME benefits as if the site was setup with an HSTS preload (for sites that have HTTPS Everywhere rulesets), that means that you don’t even fetch over HTTP to begin with. (Also it has a speed advantage as you don’t waste time with the intial http-> https redirect, if it exists)

  4. Richard Allen said on April 4, 2018 at 1:49 pm
    Reply

    I personally don’t see the point of this extension anymore, definitely not in my case. Without breaking out a calculator, it looks to me like the websites I visit using https are easily in the mid to upper 90 percentile range. And the only interaction I have with any sites not using https is just viewing content. I don’t use my ISP’s DNS service so it they or a government entity wants to go through the hassle of sniffing packets to see the content they are welcome to it. Pervs. :)

    Not worth the resources it uses IMO, at least not here in the “Wild West”. Maybe in eastern Europe or Asia, I don’t know how prevalent the use of HTTPS is there. On AMO, looks to me like one quarter of one percent of all FF users are using HTTPS Everywhere. I would call that a niche product, just saying.

  5. Klaas Vaak said on April 4, 2018 at 12:37 pm
    Reply

    Is there any point in having this extension, considering that sites which have https let your browser connect as such? Sites that only have http cannot be forced by HTTPS Everywhere.

    1. Anonymous said on April 4, 2018 at 5:43 pm
      Reply

      Don’t believe in Jessica.
      There’s no point, unless the webmaster allows visitor to access the site via HTTP too.
      https://en.wikipedia.org/wiki/HTTPS_Everywhere

      1. Jessica said on April 4, 2018 at 8:02 pm
        Reply

        Don’t believe in me because of what? The first paragraph of the article on the wiki states exactly what I said, it’s only worded differently.

    2. Martin Brinkmann said on April 4, 2018 at 12:52 pm
      Reply

      Klaas, some sites support HTTP and HTTPS, for instance while they are in the process of migrating to HTTPS exclusivity.

      1. AAA said on April 7, 2018 at 8:33 pm
        Reply

        Hello Martin,

        I see that you too use uBlock origin. I was wondering if I need to install ‘WebRTC’ addon? Cuz, uBlock origin already has an option of blocking webrtc… let me know, please. :) Thank you.

      2. Klaas Vaak said on April 4, 2018 at 2:58 pm
        Reply

        OK Martin, thanks, HTTPS Everywhere then makes sense. I have reinstalled it.

    3. Jessica said on April 4, 2018 at 12:39 pm
      Reply

      Yes, because a site being accessible via HTTPS does not mean that it establishes the connection that way by default.

  6. TelV said on April 4, 2018 at 11:54 am
    Reply

    I’ve been using it ever since I can remember. But as I understand it, HTTPS Everywhere can’t convert a non-SSL site into a SSL. That’s probably why http://mozillazine.org/ remains unencrypted while https://mozillazine-fr.org/ is encrypted. I assume they’re both the same since they use the same logo banner at the top of their respective sites.

    1. iponymous said on April 5, 2018 at 12:47 am
      Reply

      Regarding
      Longevity of ghacks.net

      Ghacks Lovers there may be a Win Win Option to increase Support to the Ghacks website. I ask anyones opinion about it. Firefox has an addon

      A firefox addon that “Blocks ads Yet Supports the Websites You Visit*” designed to Obfuscate browsing Data and Protect users From Tracking by advertising networks

      https://addons.mozilla.org/en-US/firefox/addon/adnauseam/

      ps. I know there are people here that could validate(or not) this claim
      I for one Hope that it is really true, would be so great!!
      or
      nudge, nudge maybe martin could make his own ;)

      1. TelV said on April 4, 2018 at 12:46 pm
        Reply

        Odd that they should use the same banner ID at the top of the page then.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.