For several years the Electronic Frontier Foundation (EFF) has offered the HTTPS Everywhere browser extension:
HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.
Put simply, the browser extension ensures you automatically use HTTPS when visiting websites – if it’s available – rather than HTTP. This way nobody can snoop on your data while it’s in transit on the Internet.
In our post-Snowden world HTTPS Everywhere is perhaps one of the most vital browser extensions around but you might notice Safari is not in that list of supported browsers. This is because the EFF says Safari “does not offer a way to perform secure rewriting of http requests to https.”
For some that kind of limitation is seen as a challenge, however, and SSL Always essentially brings the power of HTTPS Everywhere to Safari. Most importantly, it uses the same rule list as HTTPS Everywhere to ensure there’s no interruption to your browsing. If a site has an HTTPS entrance then you’ll use it automatically. If not then you’ll just use HTTP, as before.
To install SSL Always click the “Download SSL Always v1.0“ link on the website, and then double-click the downloaded file to install it. You’ll need to click the Trust button within Safari to finalise installation.
SSL Always will start working immediately and you’ll know because a padlock symbol will appear alongside the URL/site name within Safari, although only for those sites that offer an HTTPS entrance.
If you run into a problem with a website not looking right then open Safari’s preferences dialog box, click the Extensions icon, and select SSL Always in the list. Then find the site in the rather long list of sites provided, and remove the check alongside it.
That extension is useless. It does the redirect from HTTP to HTTPS in the “Start Scripts” method, and quoting from Apple docs “Start Scripts: Scripts to execute before a webpage is interpreted, usually a script that blocks unwanted content.” this means that the page has already been loaded once the extension does the redirect.
If the page has already been loaded before the script is called then all the metadata, cookie, query variables etc had already traveled unprotect via HTTP over the network.
So redirect to HTTPS at this point is pretty much useless.
This is the same reason why “HTTPS Everywhere” is not available for Safari, quoting from the EFF FAQ “the Safari extension API does not offer a way to perform secure rewriting of http requests to https”.
— Giu · Nov 10, 08:32 AM · #
I think you’re being a little harsh here. If you’re correct in your technical details then only the initial “glance” at the website is unencrypted. All future dealings on the website will be encrypted after the user is redirected to HTTPS.
I suppose you could argue that a snoop would know what site you’re visiting, but with this extension they won’t necessarily know what you’re doing there. And even if you went in via the HTTPS entrance straight off, a snoop would still know what site it is you’re visiting because that isn’t encrypted.
— Keir · Nov 10, 09:59 AM · #
Yep but the real problem is all the information (authentication cookie, tracking cookie, etc) that will be sent on that first, unprotected, connection. As soon that the browser requests the page all the information is compromised.
Now, I am not saying that this extension it’s totally useless, it’s just misleading saying that this brings the power of HTTPS Everywhere to Safari because clearly it doesn’t. There is a clear reason why EFF hasn’t developed that extension for Safari, and it isn’t that they hate Safari, it’s just not safe enought. So I guess this extension could be fine with a giant disclaimer, otherwise it’s just misleading potential users in a false sense of security.
— Giu · Nov 10, 03:38 PM · #
Doing a HTTP redirect does expose more information than you might think. For example, the page you are visiting on the site is going to be exposed before the redirect.
The UK government just passed a law to collect exactly that information for everybody in the UK.
It’s a shame that Safari doesn’t currently allow a better solution to this. Until it does, I’ll be using Firefox or Chrome with HTTPS Everywhere.
— Andy · Nov 21, 01:03 AM · #