Browser extension can be retired as push to encrypt the web is almost complete, says EFF
UPDATED The Electronic Frontier Foundation (EFF) is planning to retire the HTTPS Everywhere browser extension because, 10 years on from the release of the plugin, its security mission has largely been accomplished.
Growing HTTPS adoption and native browser support to enforce HTTPS-only connections are making the plugin redundant.
HTTPS Everywhere – an open source browser extension for Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Brave, Tor and Firefox for Android or Brave for Mobile – automatically set up a more secure HTTPS connection instead of a HTTP link where sites supported the technology. Users could also block or unblock HTTP-only sites.
‘S’ for security
Forcing usage of HTTPS automatically where possible is nowhere near as necessary as it once was, hence the decision to phase out and retire the HTTPS Everywhere extension by the end of 2022.
Users should enable HTTPS-only mode in their browsers, as explained in a blog post by the EFF yesterday (September 27).
“Thanks to efforts of parties like EFF, Let’s Encrypt and browser vendors, most web traffic is over a secured channel nowadays,” said infosec blogger John Opdenakker in a post typical of the reaction of many in the community on Twitter.
Certificate authority Let’s Encrypt added in the “10 years since they launched it, the internet actually has HTTPS (almost) everywhere. What an exciting milestone!”
Romanian software developer Alex Nedelcu said “Interestingly there are still people thinking HTTPS isn’t needed for all websites, but they are wrong. TLS/SSL connections aren’t useful just for protecting what user sends, but also for signing what the server sends.”
Great progress has been made but it may perhaps be a little premature to mark the project of moving to a fully-encrypted web as "job done" just yet.
A list - compiled and regularly updated by security researchers Scott Helme and Troy Hunt - shows all of the sites that still don’t have an automatic redirect to https and load over http. There are still some big names on the Why No HTTPS? list, evidence that a secure web is still far from ubiquitous.
This story was updated to include a reference to the Why No HTTPS? list
YOU MAY ALSO LIKE Google Chrome to incorporate new secure payments feature