The Electronic Frontier Foundation and The Tor Project have teamed up to offer a Firefox add-on that beefs up https on several major websites, including Google.com, Wikipedia, Twitter, Facebook, and PayPal. Currently in beta, HTTPS Everywhere is designed to make encryption easier to use on sites offering at least partial SSL …
Sites that force http/https for specific pages
Over the years, I've worked on several sites that use configuration to force sensitive pages to use https and also force non-sensitive pages to use http.
A request to a non-https configured page in https causes a redirection to the http url in the same way the http request to a sensitive page is redirected to https.
Anyone who's ever worked on a webserver knows that you can do that. What's your point? (I'm watching England and getting pissed off)
Is it necessary?
Time to make sure that sites properly redirect to non-secure versions of pages where security and privacy are not a concern. Many small businesses will find their hosting costs going up if their sites begin to serve larger quantities of secure pages.
I think this is fine for companies that can afford the additional hosting costs, big companies like Google and Facebook shouldn't have a problem meeting the additional processing and traffic demands. I'm simply concerned about the cost consequences to small businesses especially given the current economic situation.
I can understand why those who are concerned about privacy may welcome this add-on. I'm very privacy-conscious and go to some length to protect myself from data farming operations such as those run by Google and other criminal organisations. When I'm just browsing web pages though I see no need for encryption to protect my activity, it's only when I'm submitting form data or using a site of a personal nature such as Facebook that I ensure my activities are adequately protected from prying eyes. All I'm saying is that people should consider whether they really need to use encryption for everything, or if they can help reduce server processing and bandwidth utilisation by being selective about security.
All the websites have to do is offer NULL encryption, sure, it'll be ssl, but with a null key...
Next question: When will IE/Firefox/etc begin to use GPUs to do ssl encocde/decoding?
SSL's dirty little secret
SSL helps but is not a panacea. In a corporate environment, it is possible for IT to monitor SSL-encrypted traffic using so-called Data Loss Prevention applications, such as Bluecoat's ProxySG SSL-interceptor:
For details on how it's done, see:
for most, this is a dumb plugin
There's a reason why web companies serve some pages with http rather than https - performance. SSL-based communication is slower & more cpu intensive than its non-encrypted counterpart and many sites could do without the additional overhead.
Say you're on a banking site - what would be the benefit of serving the image advertising the latest CD rates using SSL?
Images will be served in SSL
If there are any items on the page that aren't secure, the padlock won't appear and you will have a million worried users complaining about it
10 years ago
This was true 10 years ago when machines weren't as powerful as they are today and people didn't have as much broadband. Unfortunately, it's the type of thinking that has been carried over without any attention paid to 'today'.
Less of the Dummy Guide please
Talk about dumbing down an article Reg...
Yes I'm sure most of us did spot the difference between a SSL URL and a non-SSL URL without needing the Reg to spell it out for us.
Next you'll be telling us the difference between RAM and ROM...
RAM and ROM
Difference between RAM and ROM is that RAM is the male sheep
How can we trust the certificates given?
The following is slightly off-topic, but I wonder, is there a way to actually check or just get a clue as to what kind of encryption your data traffic "has"?
Else, I guess one has to simply trust the certificates. If encryption were to be turned on and off on demand, who could notice this? (Probably possible, and perhaps not very useful, I just want to learn more about all of this)
Re: How can we trust the certificates given?
If I understand your question right, you can check both what kind of encryption is in use and whether you want to trust the certificate being presented or not, based on its certification chain, on every mainstream browser I know of. This is typically done by clicking on the "encryption on" (a padlock, or the certificate owner's name on the address bar), or through the Page Properties or equivalent menu.
If you're a security conscious/paranoid type, then something you might want to do is go through your browser's (rather extensive, I bet) list of Certificate Authorities and either do a bit of pruning, or delete them wholesale, depending on your level of paranoia and browser usage pattern. The latter will cause a warning to pop up on every HTTPS site, and usually give you the option to "permanently trust this site", so you can whitelist the HTTPS sites you actually trust one by one over a few weeks of usage.
Apologies if I've answered the wrong question there.
Sounds like a good idea in practice....
Unfortunately the action of re-writing URL's as HTTPS: can be problematic.
For example: Facebook Chat
If you access facebook via http:, facebook chat works. If you access it via https:, facebook chat does not work - you get a little triangular icon saying chat is disabled on this page.
While there are work-arounds, like running Trillian to access facebook chat, it is not the best solution, especially if you're not running Trillian.
What happens if a website tries to force you to an HTTP connection? Then it would get stuck in a cycle of redirections and URL-rewriting. While coders shouldn't be so stupid, it can happen.
I'd like to see all connections encrypted. Unfortunately this add-on doesn't help me.
Encrypt Everything ?
With increasing bandwidth, why not just encrypt everything by default - built into the browser, not an add-on. Yes, there is an overhead, but it might also encourage developers to write more efficient code and web pages
If this gets widely taken up there will be a lot more busy processors and therefore more electricity used (possibly more servers being bought).
Personally I don't follow the CO2 cult but it does seem an awful waist.
You saying my bum looks big in this?
Not a good idea...
If large numbers of users were to deploy this, it would be bad news for web hosting providers and web site owners. Using SSL for everything will add significant extra processing demands in places where it is not necessary.
The bandwidth is irrelevant, encrypted data does not take up much more space than raw data. The important thing is the processing overhead. To protect the privacy of communications, we rely on modern encryption technology such as SSL without thinking about the considerable maths that needs to be performed.
More CPU power = more energy used = more heat dissipation.
This would have serious implications in a data centre with hundreds of servers hosting thousands of web sites. To serve the same number of requests, more physical computers will be required, more electricity will be consumed and more heat will have to be removed.
The bottom line is, potential massive impact on the environment, not to mention budget worries for businesses in today's economic climate.
The intentions behind this little tool are good, I wholly advocate privacy and the right to protect it. However, these concepts must be applied appropriately. It seems they might not have fully thought through the implications of such a blanket approach.
The tool should provide users with the ability to 'prefer SSL' in specific cases where they would like the additional peace of mind. It should make these choices as granular as possible, for example by targeting certain pages; targeting only pages where information is submitted (forms) and giving the option to include or not include images and other multimedia.
Why use "secure" Google, when
they store all your results in plain text and hand them over to whatever governmental organization has asked most recently?
RE: Why use "secure" Google, when
Because in a corporate environment it makes it harder for people to spy on you
Not working properly
Works fine if I do a google search from google.co.uk or firefox search box... however if I do it from my iGoogle page it doesn't work