Firefox add-on does 'HTTPS Everywhere' The Electronic Frontier Foundation and The Tor Project have teamed up to offer a Firefox add-on that beefs up https on several major websites, including Google.com, Wikipedia, Twitter, Facebook, and PayPal. Currently in beta, HTTPS Everywhere is designed to make encryption easier to use on sites offering at least partial SSL …
Over the years, I've worked on several sites that use configuration to force sensitive pages to use https and also force non-sensitive pages to use http.
A request to a non-https configured page in https causes a redirection to the http url in the same way the http request to a sensitive page is redirected to https.
Time to make sure that sites properly redirect to non-secure versions of pages where security and privacy are not a concern. Many small businesses will find their hosting costs going up if their sites begin to serve larger quantities of secure pages.
I think this is fine for companies that can afford the additional hosting costs, big companies like Google and Facebook shouldn't have a problem meeting the additional processing and traffic demands. I'm simply concerned about the cost consequences to small businesses especially given the current economic situation.
I can understand why those who are concerned about privacy may welcome this add-on. I'm very privacy-conscious and go to some length to protect myself from data farming operations such as those run by Google and other criminal organisations. When I'm just browsing web pages though I see no need for encryption to protect my activity, it's only when I'm submitting form data or using a site of a personal nature such as Facebook that I ensure my activities are adequately protected from prying eyes. All I'm saying is that people should consider whether they really need to use encryption for everything, or if they can help reduce server processing and bandwidth utilisation by being selective about security.
SSL helps but is not a panacea. In a corporate environment, it is possible for IT to monitor SSL-encrypted traffic using so-called Data Loss Prevention applications, such as Bluecoat's ProxySG SSL-interceptor:
http://www.bluecoat.com/news/pr/202
For details on how it's done, see:
http://technotes-fran.blogspot.com/2010/05/ssls-dirty-little-secret.html
There's a reason why web companies serve some pages with http rather than https - performance. SSL-based communication is slower & more cpu intensive than its non-encrypted counterpart and many sites could do without the additional overhead.
Say you're on a banking site - what would be the benefit of serving the image advertising the latest CD rates using SSL?
The following is slightly off-topic, but I wonder, is there a way to actually check or just get a clue as to what kind of encryption your data traffic "has"?
Else, I guess one has to simply trust the certificates. If encryption were to be turned on and off on demand, who could notice this? (Probably possible, and perhaps not very useful, I just want to learn more about all of this)
If I understand your question right, you can check both what kind of encryption is in use and whether you want to trust the certificate being presented or not, based on its certification chain, on every mainstream browser I know of. This is typically done by clicking on the "encryption on" (a padlock, or the certificate owner's name on the address bar), or through the Page Properties or equivalent menu.
If you're a security conscious/paranoid type, then something you might want to do is go through your browser's (rather extensive, I bet) list of Certificate Authorities and either do a bit of pruning, or delete them wholesale, depending on your level of paranoia and browser usage pattern. The latter will cause a warning to pop up on every HTTPS site, and usually give you the option to "permanently trust this site", so you can whitelist the HTTPS sites you actually trust one by one over a few weeks of usage.
Apologies if I've answered the wrong question there.
Unfortunately the action of re-writing URL's as HTTPS: can be problematic.
For example: Facebook Chat
If you access facebook via http:, facebook chat works. If you access it via https:, facebook chat does not work - you get a little triangular icon saying chat is disabled on this page.
While there are work-arounds, like running Trillian to access facebook chat, it is not the best solution, especially if you're not running Trillian.
What happens if a website tries to force you to an HTTP connection? Then it would get stuck in a cycle of redirections and URL-rewriting. While coders shouldn't be so stupid, it can happen.
I'd like to see all connections encrypted. Unfortunately this add-on doesn't help me.
If large numbers of users were to deploy this, it would be bad news for web hosting providers and web site owners. Using SSL for everything will add significant extra processing demands in places where it is not necessary.
The bandwidth is irrelevant, encrypted data does not take up much more space than raw data. The important thing is the processing overhead. To protect the privacy of communications, we rely on modern encryption technology such as SSL without thinking about the considerable maths that needs to be performed.
More CPU power = more energy used = more heat dissipation.
This would have serious implications in a data centre with hundreds of servers hosting thousands of web sites. To serve the same number of requests, more physical computers will be required, more electricity will be consumed and more heat will have to be removed.
The bottom line is, potential massive impact on the environment, not to mention budget worries for businesses in today's economic climate.
The intentions behind this little tool are good, I wholly advocate privacy and the right to protect it. However, these concepts must be applied appropriately. It seems they might not have fully thought through the implications of such a blanket approach.
The tool should provide users with the ability to 'prefer SSL' in specific cases where they would like the additional peace of mind. It should make these choices as granular as possible, for example by targeting certain pages; targeting only pages where information is submitted (forms) and giving the option to include or not include images and other multimedia.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
