EFF's latest HTTPS Everywhere plugin helps protect against Firesheep-style attacks

The new version of the Electronic Frontier Foundation's excellent HTTPS Everywhere browser tool specifically protects against having your credentials to many popular sites lifted with Firesheep (as well as by deliberately malicious tools that actual bad guys make). Wherever a site allows for SSL throughout your session, HTTPS Everywhere will add this. I was recently at EFF and asked Seth Schoen, a staff technologist, to print my boarding card for the next day's flight from his computer. It took a long time. When I asked why this was, Seth told me that he'd realized that Continental didn't use SSL to transmit boarding cards by default, but that they supported it, so he was adding a HTTPS Everywhere rule to make sure all the HTTPS Everywhere users who used Continental's boarding pass service would be protected in future. EFF is adding new sites by the shovel-load, making the free/open HTTPS Everywhere indispensable.
This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough. Firesheep, which was released in October as a demonstration of a vulnerability that computer security experts have known about for years, sparked a flurry of media attention.

"These new enhancements make HTTPS Everywhere much more effective in thwarting an attack from Firesheep or a similar tool," said EFF Senior Staff Technologist Peter Eckersley. "It will go a long way towards protecting your Facebook, Twitter, or Hotmail accounts from Firesheep hacks. And, like previous releases, it shields your Google searches from eavesdroppers and safeguards your payments made through PayPal."

EFF Tool Offers New Protection Against 'Firesheep'


  1. Does this actually have anything to do with Firesheep besides riding its coattails to some security hype? It doesn’t seem to do anything different than before, aside from adding/tweaking some rules, but that hardly calls for a press release.

    Also, if I’m not mistaken, Firesheep’s main purpose isn’t to steal login credentials, which are almost always sent over HTTPS, but rather the session cookies for already authenticated users, which are often sent in the clear.

    1. Hi ColHapablap,

      Many of the changes in this release were in fact directly inspired by Firesheep. In particular, we added a feature so that rulesets can turn on the “secure” flag for cookies even if the site fails to set it; we expanded the Twitter and Facebook rules to httpsify many subsidiary requests to http pages that could leak cookies (and also expose you to JavaScript injection); we added support for Hotmail beyond the login page (which Microsoft now offers in response to Firesheep); and we added rules for bit.ly, Dropbox, Github, Cisco and Evernote, since those sites were targeted by Firesheep.

      Release notes and a more complete Changelog are available here:


  2. Pleased to see this; not that I care so much about folks in the cafe using Firesheep against me, but rather that I prefer SSL over plain text in general.

    Testing it out, I was pleasantly surprised that instead of just trying to encrypt your connection, they included rules to redirect you from web sites on hosts that don’t have a cert to ones that do: e.g. from http://en.wikipedia.org/ to https://secure.wikimedia.org/wikipedia/en/

    But unfortunately this means we need to depend on somebody to maintain a list of what stuff is available over SSL on different domains.

    1. Indeed. Not even for your username and password.

      Oh, it’s just a blog…. Sure. But how many people reuse their BB username and password (or some easily guessed variation of it) on other sites?

      DNS is never encrypted, even if HTTPS is. Once I sniff a target’s usernames and passwords on every cleartext site I can, I watch their DNS traffic, and try obvious variations of those logins on all the HTTPS sites they go to…

      They can use all the SSL they want, if passwords get reused I’ll get in somewhere.

      (Posting as anon, ’cause I’m not about to log in…)

  3. I tried the last version out, but disabled it. Google doesn’t have HTTPS on all their properties so I can’t click around their bar of sites at the top and have the query follow me around automagically. Of course, this isn’t the extension’s fault, but it made it awfully inconvenient when I was doing some research.

  4. goo.gl shortened links are not resolving properly with the add-on enabled, which I suspect has everything to do with Google and https, per the comment by Restless.

  5. The internet can be any two of: fast, convenient, and secure. I’ve installed this thing 24 hours ago and it’s pretty much ruined my browsing. Can’t load anything from Amazon. Uninstalling.

  6. The UI could use some improvement.
    Currently it has a large panel with checkboxes for each website. This is not going to scale well as the number of sites increases,
    so there should be a multiselect list or something instead.

  7. I love the idea of HTTPS Everywhere, but I’ve had to shut it off for Facebook because it breaks the chat function there. Does anyone know if there’s a way to fix that?

Comments are closed.