HTTPS Everywhere to use DuckDuckGo's Smarter Encryption before reaching End of Life
HTTPS Everywhere by the EFF will switch from using its own rulesets to using rulesets provided by DuckDuckGo's Smarter Encryption technology exclusively.
The browser extension was released in 2010 to switch to encrypted (HTTPS) connections if possible. The extension would try to upgrade connections when users entered domain names, used HTTP, or clicked on HTTP links in the browser.
The extension was upgraded throughout the years, e.g. an update in 2012 introduced weak encryption warnings, another in 2015 added thousands of new sites.
The main idea behind the extension was to improve security by upgrading connections to HTTPS. A list with rulesets was used by the extension up until now for the purpose.
A blog post on the EFF's Deeplinks site reveals that HTTPS Everywhere will switch to the rulesets of DuckDuckGo's Smart Encryption feature before it will reach End of Life eventually.
Smarter Encryption uses an automated approach for building its rulesets, and that sets it apart from the HTTPS Everywhere way of manually adding rules. Since it covers more sites, it will upgrade more connections to HTTPS when used.
The EFF published a plan to phase out HTTPS Everywhere rulesets. The main takeaway is that its rulesets will be retired in late 2021 to give partners and downstream channels enough adjusting time. DuckDuckGo's rulesets are supported in the latest version already.
More serious than the switching to the different rulesets is that the EFF has plans to retire HTTPS Everywhere eventually. A date has not been determined yet according to the makers, but it won't be announced before the old rulesets are retired.
Why is HTTPS Everywhere being retired?
The web is moving towards HTTPS-only rapidly, but this is only part off the reason. The main arguments for the decision are the following ones:
- DuckDuckGo's Smarter Encryption supports more domains than the HTTPS Everywhere model.
- Firefox supports an HTTPS-Only mode.
- Chrome starts to redirects requests to HTTPS first when typed in the address bar.
- Mixed content is blocked in major browsers.
- The use of different domains for HTTPS content is used less and less on the web.
- Chrome's Manifest V3 has a rulesets cap, and the EFF does not want to "create confusion for users on "who to choose" when it comes to getting the best coverage.
- Users may switch to DuckDuckGo's Privacy Essentials or a browser that supports HTTPS-Only mode once HTTPS Everywhere is retired.
Closing Words
HTTPS Everywhere remains available throughout 2021 at the very least. While the old ruleset will be turned off eventually, it will be replaced by another that may do its job even better. Eventually, HTTPS Everywhere will be retired. Users may switch to Firefox's excellent HTTPS-Only mode then, which tries HTTPS first always but comes with prompts to downgrade the connection if HTTPS is not working, or DuckDuckGo's Privacy Essentials extension.
Now You: do you use HTTPS Everywhere?
Goodbye HTTPS Everywhere for the users want to be HTTPS for all times, not all eveyone (in the personal websites) to switch HTTPS with HTTPS Everywhere and also out of HTTPS Everywhere (such as HTTPS-only), this function was often useless and did not opportunity since some websites has been HTTPS for permanently or do not using HTTPS for the time (i’ve mean stay on HTTP) until HTTP fully diminished 100% but detrimental for all users despite cyber attacks was ongoing here.
encrypting the utopia ecosystem will be smarter…
I’ve used HTTPS Everywhere primarily, sometimes replacing it with other (similar) extensions such as HTTPZ and Smart HTTPS. As the web has evolved towards an HTTPS-first model over the last few years, I feel that HTTPS-E has outlived its purpose. With Chromium switching to HTTPS-first requests, I agree that there is not much point in keeping the project alive. I don’t know what benefits DDG’s solution brings, but I dislike that their extension does loads of different (and – imho – unnecessary) things. Also, I don’t know whether their solution leaks an initial HTTP request before switching to HTTPS – which is the scenario HTTPS-E originally set out to resolve. Ultimately, I no longer feel that I need these extensions.
I don’t understand why the EFF would direct users to the Duckduckgo extension which is from ad business people and does lots of things in addition to what HTTPS-Everywhere did.
And contrary to the EFF extension, DDG “Smarter Encryption” leaks partial browsing data to DDG only protected by “k-anonymization” just like Google safebrowsing. I am curious of how the Tor group will choose to replace it.
https://help.duckduckgo.com/duckduckgo-help-pages/privacy/smarter-encryption/
DDG’s the default search engine for the Tor Browser which uses https first anyway if a site supports it, otherwise falls back to http and still connects. I’m not exactly sure what https everywhere gives Tor Browser today. No Script, the other standard extension, does a lot.
Stopped using HTTPS Everywhere, as browsers effectively block HTTP anyway, forcing manual intervention to continue.
I have used HTTPS Everywhere for years with satisfaction. I thought it provided a needed service then as it does now.
It seems that most browsers are coalescing toward a similar functionality, but each with unique characteristics. This makes it difficult to choose a “best” browser since a user’s wants vary depending on usage and URL characteristics.
Whatever allows for fewer apps and addons makes for better browsing.
Yes, I do use HTTPS Everywhere. It is the 1st add-on I do install in any browser I am using.
My default browser Firefox has indeed already the HTTPS Always mode, though not as default, yet.
>> Now You: do you use HTTPS Everywhere?
Yes, Brave has it as a component.
Brave’s team is also looking forward to an approach once EFF do the changes explained in your article.
> https://github.com/brave/brave-browser/issues/14442
Brave browser is slow and not secure, just use Firefox fast nice good browser bro secure privacy
> Brave browser is slow
Nope: https://www.youtube.com/watch?v=op7ge8EoQmo
> and not secure
But still more secure than your * [Editor:removed]: https://old.reddit.com/r/privacy/comments/ghz4mp/is_firefox_better_than_google/fqbtgow/
> just use Firefox
No.
> privacy
I sure as heck hope you are not referring to the default state of Firefox, my main man.
> It shares your location and download hashes with Google. it uses Google Analytics internally. It has a weak tracking blocker (using the shitty Disconnect lists). It allows most forms of prefetching. Fingerprinting defenses are inactive by default. It installs system level telemetry that spies on your default browser even if it isn’t Firefox. It has a backdoor that allows for remote code execution (called “Firefox Experiments†/ Normandy). Its Sync requires E-Mail addresses. Leaks unique extension IDs via simple fetch requests. Connects speculatively to websites as you type addresses in the address bar. Uses Cloudflare for DoH (I am sure the DNS entries are safe in their hands!) etc.
Me occasionally criticizing Firefox does not mean that you have to do a mental striptease in order to compensate.
PS: If someone means to criticize me for this kind of reply, please consider that I am dealing with obvious trolling here that has no factual basis whatsoever.
@ IH
Respond to someone who can’t even complete a sentence? The post looks like an ebay listing full of keywords. Can’t tell what the listing is selling but it draws traffic.
@ULBoom
Yeah, sometimes I ask myself too “Why even bother?”…