HTTPS Everywhere was inspired by Google's increased use of HTTPS[8] and is designed to force the usage of HTTPS automatically whenever possible.[9] The code, in part, is based on NoScript's HTTP Strict Transport Security implementation, but HTTPS Everywhere is intended to be simpler to use than No Script's forced HTTPS functionality which requires the user to manually add websites to a list.[4] The EFF provides information for users on how to add HTTPS rulesets to HTTPS Everywhere,[10] and information on which websites support HTTPS.[11]
Platform support
A public beta of HTTPS Everywhere for Firefox was released in 2010,[12] and version 1.0 was released in 2011.[13] A beta for Chrome was released in February 2012.[14] In 2014, a version was released for Android phones.[15]
SSL Observatory
The SSL Observatory is a feature in HTTPS Everywhere introduced in version 2.0.1[14] which analyzes public key certificates to determine if certificate authorities have been compromised,[16] and if the user is vulnerable to man-in-the-middle attacks.[17] In 2013, the ICANN Security and Stability Advisory Committee (SSAC) noted that the data set used by the SSL Observatory often treated intermediate authorities as different entities, thus inflating the number of certificate authorities. The SSAC criticized SSL Observatory for potentially significantly undercounting internal name certificates, and noted that it used a data set from 2010.[18]
Continual Ruleset Updates
The update to Version 2018.4.3, shipped on 3 April 2018, introduces the "Continual Ruleset Updates" function.[19] To apply up-to-date https-rules, this update function executes one rule-matching within 24 hours. A website called https-rulesets was built by the EFF for this purpose.[20] This automated update function can be disabled in the add-on settings. Prior to the update- mechanism there have been ruleset-updates only through app-updates. Even after this feature was implemented there are still bundled rulesets shipped within app-updates.
Reception
Two studies have recommended building HTTPS Everywhere functionality into Android browsers.[21][22] In 2012, Eric Phetteplace described it as "perhaps the best response to Firesheep-style attacks available for any platform".[23] In 2011, Vincent Toubiana and Vincent Verdot pointed out some drawbacks of the HTTPS Everywhere add-on, including that the list of services which support HTTPS needs maintaining, and that some services are redirected to HTTPS even though they are not yet available in HTTPS, not allowing the user of the extension to get to the service.[24]
Other criticisms are that users may be misled to believe that if HTTPS Everywhere does not switch a site to HTTPS, it is because it does not have an HTTPS version, while it could be that the site manager has not submitted an HTTPS ruleset to the EFF,[25]
and that because the extension sends information about the sites the user visits to the SSL Observatory, this could be used to track the user.[25]
^"Archived copy". www.https-rulesets.org. Archived from the original on 11 July 2018. Retrieved 12 September 2022.{{cite web}}: CS1 maint: archived copy as title (link)
^Davis, Benjamin; Chen, Hao (2013). "Retro Skeleton". Proceedings of the 11th annual international conference on Mobile systems, applications, and services - Mobi Sys '13 (published June 2013). pp. 181–192. doi:10.1145/2462456.2464462. ISBN9781450316729. S2CID668399.
^Kerschbaumer, Christoph; Gaibler, Julian; Edelstein, Arthur; Merwe, Thyla van der (17 November 2020). "Firefox 83 introduces HTTPS-Only Mode". Mozilla Security Blog. Retrieved 3 December 2020.
^"HTTPS Everywhere FAQ". Electronic Frontier Foundation. 7 November 2016. Retrieved 3 December 2020.