It’s no secret that the Web wasn’t really meant to be a secure platform, for communications or commerce or anything else. But it’s used for all of these functions every day, and for the most part they depend upon the sites they deal with using SSL and doing so correctly. That’s not always a sure bet, and SSL has had its problems in recent years. But a new browser extension for Firefox is designed to help address some of these issues by only accepting HTTPS requests.
The extension is a kind of spiritual descendant of the EFF’s HTTPS Everywhere plug-in, an extension for Google Chrome and Firefox that forces the browser to use a secure HTTPS connection whenever one is available from a given site. The HTTP Nowhere extension, written by Chris Wilper, takes a different tack to achieve a similar result. Rather than simply looking for HTTPS connections with a site, HTTP Nowhere gives the user the ability to click a button that ensures that the browser is only making and receiving HTTPS requests and rejects plaintext HTTP requests.
When a user visits a site that he wants to connect with securely, he presses the button on the browser that puts it into encrypted-only mode. The browser then will reject any unsecure requests during the session and will inform the user anytime a request is rejected.
“Since the web isn’t going to be fully encrypted anytime soon, we need to find ways to improve people’s awareness of when their communication is and is not encrypted. More conspicuous and consistently implemented visual cues would be an improvement, but those are still just passive indicators. I think something more active is needed. I call it encrypted-only mode,” Wilper said in a blog post.
“The idea is that entering this mode would provide an additional layer of protection by temporarily disabling all unencrypted traffic. It would also be a conscious decision, and therefore difficult to ignore.”
Wilper said that another benefit of the extension is that it could serve as a warning about sites that have pages that aren’t using secure connections.
“It hasn’t been tested extensively on ecommerce sites, but I can say with some confidence that if it breaks functionality of any secure sites, it’s a good indication that those sites are not as secure as their users might think. Since the extension reports on every non-https request that it blocks, it might actually serve as a good tool for auditing such sites,” Wilper said by email.
Although the HTTP Nowhere extension is only for Firefox, Wilper said he’d like to see it ported to Chrome as well.
“There’s currently not a Chrome version, but I’d like to see one developed. Either by me or a contributor. I don’t see any technical impediments to doing that at this time,” he said.
