Safer web browsing with HTTPS

A lot of popular websites like Twitter and Facebook use HTTPS for the login page, but switch to regular HTTP for the subsequent pages. This can result in session hijacking attacks where an someone else on the same network may be able to view all the traffic (including your photos and posts).

There is even an experimental Firefox extension (Firesheep) that will allow someone on an open Wi-Fi network to view all the traffic on that network. One solution is to send all traffic through HTTPS, so that all traffic is encrypted. The Electronic Frontier Foundation (EFF) has developed a Firefox extension (HTTPS Everywhere) that will send traffic over HTTPS for specified sites.

The way it works is that it rewrites HTTP requests to HTTPS URLs using rulesets for websites. The caveat is that the website has to support HTTPS to be able to use this extension effectively. Anyone can create a ruleset and use it by placing it in the HTTPSEverywhereUserRules/ sub-directory in the Firefox profile directory.

Rulesets are simple xml files and will have a “from” and a “to” clause and uses regular expressions. To build more complex rulesets, you can check out their ruleset reference page.

If the site carries content from 3rd party sites or locations that do not support HTTPS, the traffic may still be vulnerable. But it is better to have this instead of nothing, because the attacks will also require more sophistication. For sites that do not support HTTPS, you may need to ask the website operator to add that support.

The Firefox extension can be downloaded from the EFF website.