Neil Turner's Blog

Blogging about technology and randomness since 2002

Forcing sites to use HTTPS

Key (Remixed)
You’re probably familiar with HTTPS – the encrypted form of HTTP that your web browser uses when sending sensitive data. Data is encrypted from end-to-end, so there’s almost no chance of a ‘man-in-the-middle’ attack where the data can be intercepted by a third party whilst in transit, even when using an open (unencrypted) wireless network.
Last year, the Firesheep addon for Firefox made it trivially easy to snoop on other people’s unencrypted connections to sites like Google, Facebook and Twitter. It didn’t do anything new, but it made the whole thing much easier, and gave a few people a case of the collywobbles.
The thing is, all of these sites are available over HTTPS, against which Firesheep (and any other similar tool) is next to useless. But these sites don’t necessarily force people to use the HTTPS connection method. Regular, unencrypted HTTP is faster, as there’s less processing power needed it either end, which may explain why sites have been reluctant to force people to use HTTPS. That being said, nowadays PCs and servers are much more powerful and the extra processing time is comparatively negligible.
So, how do you force your browser to always use HTTPS? The simplest way may be to change your bookmarks to have ‘https://’ at the front instead of ‘http://’, but it’s possible that web sites may still redirect to you an insecure page. Fortunately, there are other ways.
Facebook, Windows Live Hotmail and Gmail all now have settings which let you insist that HTTPS is always used, so turn these on. The caveats are that some third-party Facebook apps won’t work (Facebook will ask you to revert back to regular HTTP, and you’ll have to manually re-enable HTTPS afterwards), and a few desktop clients won’t work with Windows Live Hotmail after HTTPS has been enabled. But I’ve had very few problems.
You can also make changes to your browser. If you use Firefox, get yourself the HTTPS Everywhere addon – this will ensure that for certain pre-configured sites, all of your communication is done forcibly with HTTPS. A few of the sites are buggy but most work fine, and you can expand its basic rules with extras from this git repository.
The Firefox 4 Betas and Google Chrome also support HTTP Strict Transport Security (HSTS), which allows sites to tell the browser that they must use HTTPS in all future communication. If you use Firefox 3.6, the Force-TLS addon will enable this for the time being. PayPal is one such such site that supports HSTS.
While encrypting everything may seem like mild paranoia, it’s well worth doing if you regularly use unsecured wireless networks. You never know who might have Firesheep installed, and what they’ll do when they hijack your logins.

Comments are closed.