Enforce HTTPS Encryption on All Supported Websites

HTTPS is used by websites to help secure your browsing. When you visit a website using HTTPS your traffic (i.e. all of your activity) whilst using that website is encrypted – making it much harder for anyone else to access your information without your permission.

Encrypting your web traffic is especially important if you ever use an insecure network e.g. public wifi offered in airports and coffee shops. Any website that needs good security should be using https e.g. your online banking websites, paypal and ebay etc. If a site uses HTTPS you should see the traditional ‘padlock’ icon in your web browser.

Tip: Latest versions of Firefox do not display the padlock icon by default but see our article to easily add a traditional padlock icon to Firefox.

Unfortunately many websites (especially social media sites like Twitter and Facebook) that do offer support for encryption using HTTPS either make it very difficult to use or require you to change settings in your account in order to access it – and even during the course of a session they might redirect to you to a less secure http page.

E.g. we recently explained how to use Facebook securely (and stop your account being hacked) by switching on HTTPS in your Facebook Security Settings – it is only an opt-in feature and is not switched on by default. It would be much easier if you could just install a browser add-on that forced HTTPS encryption on all sites that supported it…

HTTPS Everywhere extension is a browser extension that rewrites all requests to supported sites to use HTTPS. It can protect you if you’re using sites that support HTTPS and for which the extension includes rules as it automatically activates the security features of HTTPS where they exist.

HTTPS Everywhere is a free extension for Firefox, Chrome and Opera available here.

KB SSL Enforcer extension is an extension for Google Chrome only that enforces encryption for websites that support it.

Features:

– Automatically detects if a site supports SSL (TLS) and redirects you to it
– Flexible options for overriding the auto-detection
– Caches which sites support SSL (respects incognito mode)
– Open source (GPLv2 or later)

KB SSL Enforcer is a free extension for Chrome available here.

Note: in our opinion this extension is not as secure as HTTPS Everywhere with Firefox because, unlike Firefox, Chrome does not natively support request rewriting by extensions (nor does Internet Explorer). As the developer states: “Due to Chrome limitations KB SSL Enforcer redirects while the page is loading. This first insecure request could send a cookie in the clear, which would give anyone with tools like Firesheep an opportunity to use your account on that site. But this only happens if they catch it during that first request and if it includes sensitive information, such as your logged in session.”

Conclusion

The limitations of KB SSL Enforcer are due to Chrome itself, not a fault of the extension. Until those limitations are removed from Chrome and IE, theoretically it would be safer to use Firefox for forcing HTTPS encryption although the extension for Chrome is a useful add-on and is certainly an improvement on using IE without such any extension.

3 Responses to: "Enforce HTTPS Encryption on All Supported Websites"

  1. Poker Pete says:

    Another good reason for Chrome users to adopt Firefox for anything serious as it has better security. Just use Chrome for general web browsing or playing games and stuff thats not private

  2. Mark W. says:

    Thanks for the article.

    Correction in the Conclusion section – “The same limitations have prevented the authors of HTTPS Everywhere making their extension available on Chrome as well as on Firefox.”
    I think it should be – “The same limitations have prevented the authors of HTTPS Everywhere making their extension available on Chrome as well as on IE.” as HTTPS Everywhere only works for Firefox to my knowledge.
    I know you know that as you have it correct in a preceding paragraph in this article. :)

    • Roy says:

      Thanks for the correction Mark, I knew what I was trying to say but it didn’t quite come out right! I’ve amended the conclusion to make it clearer, thanks.