Encrypted-Only Firefox Extension

Wednesday, August 28, 2013 @ 02:08 PM gHale

A new browser extension for Firefox can help address some security issues by only accepting HTTPS requests.

Called HTTP Nowhere, the extension written by Chris Wilper takes a different tack by rather than looking for HTTPS connections with a site, it gives the user the ability to click a button that ensures the browser is only making and receiving HTTPS requests and rejects plaintext HTTP requests.

Java 6 Zero Day Now in Play
Adware via Google App Engine Sites
Unauthorized YouTube Ads via Plugins
Browser Extensions Steal Account Info

When a user visits a site that he wants to connect with securely, he presses the button on the browser that puts it into encrypted-only mode. The browser then will reject any unsecure requests during the session and will inform the user anytime a request ends up rejected.

“Since the web isn’t going to be fully encrypted anytime soon, we need to find ways to improve people’s awareness of when their communication is and is not encrypted. More conspicuous and consistently implemented visual cues would be an improvement, but those are still just passive indicators. I think something more active is needed. I call it encrypted-only mode,” Wilper said in a blog post.

“The idea is that entering this mode would provide an additional layer of protection by temporarily disabling all unencrypted traffic. It would also be a conscious decision, and therefore difficult to ignore,” he said.

Wilper said another benefit of the extension is it could serve as a warning about sites that have pages that aren’t using secure connections.

“It hasn’t been tested extensively on ecommerce sites, but I can say with some confidence that if it breaks functionality of any secure sites, it’s a good indication that those sites are not as secure as their users might think. Since the extension reports on every non-https request that it blocks, it might actually serve as a good tool for auditing such sites,” Wilper said.

Although the HTTP Nowhere extension is only for Firefox, Wilper said he’d like to see it ported to Chrome as well.

“There’s currently not a Chrome version, but I’d like to see one developed. Either by me or a contributor. I don’t see any technical impediments to doing that at this time,” he said.

Leave a Reply

You must be logged in to post a comment.