EFF's latest HTTPS Everywhere plugin helps protect against Firesheep-style attacks


10 Responses to “EFF's latest HTTPS Everywhere plugin helps protect against Firesheep-style attacks”

  1. Anonymous says:

    Pleased to see this; not that I care so much about folks in the cafe using Firesheep against me, but rather that I prefer SSL over plain text in general.

    Testing it out, I was pleasantly surprised that instead of just trying to encrypt your connection, they included rules to redirect you from web sites on hosts that don’t have a cert to ones that do: e.g. from http://en.wikipedia.org/ to https://secure.wikimedia.org/wikipedia/en/

    But unfortunately this means we need to depend on somebody to maintain a list of what stuff is available over SSL on different domains.

  2. dragonfrog says:

    “but rather the session cookies for already authenticated users, which are often sent in the clear.”

    If you don’t have HTTPS Everywhere.

    Also – hehehe https://www.boingboing.net hehehe

    • Anonymous says:

      Indeed. Not even for your username and password.

      Oh, it’s just a blog…. Sure. But how many people reuse their BB username and password (or some easily guessed variation of it) on other sites?

      DNS is never encrypted, even if HTTPS is. Once I sniff a target’s usernames and passwords on every cleartext site I can, I watch their DNS traffic, and try obvious variations of those logins on all the HTTPS sites they go to…

      They can use all the SSL they want, if passwords get reused I’ll get in somewhere.

      (Posting as anon, ’cause I’m not about to log in…)

  3. rexdude says:

    The UI could use some improvement.
    Currently it has a large panel with checkboxes for each website. This is not going to scale well as the number of sites increases,
    so there should be a multiselect list or something instead.

  4. Restless says:

    I tried the last version out, but disabled it. Google doesn’t have HTTPS on all their properties so I can’t click around their bar of sites at the top and have the query follow me around automagically. Of course, this isn’t the extension’s fault, but it made it awfully inconvenient when I was doing some research.

  5. Anonymous says:

    goo.gl shortened links are not resolving properly with the add-on enabled, which I suspect has everything to do with Google and https, per the comment by Restless.

  6. ColHapablap says:

    Does this actually have anything to do with Firesheep besides riding its coattails to some security hype? It doesn’t seem to do anything different than before, aside from adding/tweaking some rules, but that hardly calls for a press release.

    Also, if I’m not mistaken, Firesheep’s main purpose isn’t to steal login credentials, which are almost always sent over HTTPS, but rather the session cookies for already authenticated users, which are often sent in the clear.

    • pde says:

      Hi ColHapablap,

      Many of the changes in this release were in fact directly inspired by Firesheep. In particular, we added a feature so that rulesets can turn on the “secure” flag for cookies even if the site fails to set it; we expanded the Twitter and Facebook rules to httpsify many subsidiary requests to http pages that could leak cookies (and also expose you to JavaScript injection); we added support for Hotmail beyond the login page (which Microsoft now offers in response to Firesheep); and we added rules for bit.ly, Dropbox, Github, Cisco and Evernote, since those sites were targeted by Firesheep.

      Release notes and a more complete Changelog are available here:


  7. Neuron says:

    The internet can be any two of: fast, convenient, and secure. I’ve installed this thing 24 hours ago and it’s pretty much ruined my browsing. Can’t load anything from Amazon. Uninstalling.

  8. Skaramuche says:

    I love the idea of HTTPS Everywhere, but I’ve had to shut it off for Facebook because it breaks the chat function there. Does anyone know if there’s a way to fix that?

Leave a Reply