Monday, November 08, 2010

Firefox plugin : HTTPS Everywhere

Yet another Firefox plugin to be added to the list of useful plugins : HTTPS Everywhere.

Essentialy, this plugin forces your browser to use the secure (encrypted) https protocol when visiting certain websites (like Facebook, Google, ...). This way, no data is sent in cleartext over the internet. When visiting these websites, everything is encrypted by your browser before it leaves your computer, and is then decrypted by the server (and vice versa, when the server sends the webpage back to your PC).

Why would you want this?

If you login over a normal http connection, your username and password are sent over the internet, for everybody who can intercept that package to read. The same with sensitive data that might be visible on websites your are visiting.

You are probably wondering who can catch your packets? To do that you must most certainly be an internet wizard? Not true. Recently a Firefox plugin was published, called Firesheep, that allows a computer to look around on your local (wireless) network, and hijack Facebook and other sessions on social networking websites and actually see what they are seeing.
For instance, when you are using a free wireless accesspoint, someone with the firesheep plugin, can easily watch what you are doing. (With more sophisticated software this is also - and was already - possible, but this requires more skill)

So, to protect yourself from these kind of attacks, it's better to use the https protocol as much as possible. And a nice tool to help you do this is, is a plugin like HTTPS Everywhere, or Force TLS. The Force TLS plugin does about the same as HTTPS Everywhere, but is more difficult to setup, because you have to tell the plugin for which website you want to use https. Downside of the HTTPS Everywhere plugin, is that it only works for the preprogrammed websites.