HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking.
Unfortunately, while many sites on the web offer some limited support for HTTPS, it is often difficult to use. Websites may default to using the unencrypted, and therefore vulnerable, HTTP protocol or may fill HTTPS pages with insecure HTTP references. EFF’s HTTPS Everywhere tool uses carefully crafted rules to switch sites from HTTP to HTTPS.
This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user’s web accounts – on social networking sites or webmail systems, for example – if the browser’s connection to the web application either does not use cryptography or does not use it thoroughly enough.
Firesheep, which was released in October as a demonstration of a vulnerability that computer security experts have known about for years, sparked a flurry of media attention.
Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly.
The first beta of HTTPS Everywhere was released last June. Since then, the tool has been downloaded more than half a million times.