HTTPS secures victory
Browser extension that redirected users to secure versions of websites is no longer needed
Privacy campaigners have claimed a victory in their battle to make the web safer, by retiring a now redundant plug-in that enforced encryption.
Back in 2011, the web was a very different place. Most websites didn’t use HTTPS to connect to a computer. Instead, they used the unencrypted HTTP protocol, meaning that your web traffic could be sniffed out by any system your data happened to pass through. It was a security and privacy nightmare.
The Electronic Frontier Foundation (EFF) knew this needed to change for the good of the web, so it launched the “HTTPS everywhere” browser extension, which performed a task we now take for granted. It redirected web addresses to secure versions of websites, so we would use HTTPS by default. A decade on, HTTPS by default is built into all the major browsers, so the EFF is declaring a victory of sorts – by retiring the now unnecessary extension.
So why did it take so long to take such an obvious security step? “There was still scepticism around HTTPS performance, and whether or not the performance was worth it,” said Alexis Hancock, director of engineering at the EFF, who worked on the extension. She explains how, at the time, website administrators had to pay a fee to a certificate authority in order to use HTTPS, which put many websites off.
As the EFF continued campaigning and use of the extension grew, the security dominoes gradually began to fall. “2015 was definitely a pivotal year,” said Hancock. “Certbot and Let’s Encrypt were launched and created. Let’s Encrypt is the body that provides free [HTTPS certificates] for websites, and Certbot is the tool that EFF works on to help website administrators automate that process.”
It was also the year when the first major change happened that end users would notice. “Chrome actually stepped up and started to flag sites as insecure,” said Hancock of the introduction of the browser’s green padlock, which provided a clear signal of whether a site was secure or not. “That was a big visual for users and website administrators,” she said.
The other browsers soon followed suit, and by 2018 Chrome switched to offering users the opposite perspective: retiring the padlock and instead warning users when the website they were using was not secure. And then last year, all the other browsers in quick succession announced the creation of HTTPS-only and HTTPS-by-default modes.
“We were really excited to see that close cascade of [announcements] together when Firefox really kind of kicked that into gear last fall,” said Hancock. And with that, it was essentially mission complete for the EFF’s extension.
So, what is the next big privacy and security battle the EFF plans to fight? “Going further in the network and the stack and making sure everything is secure, because your web requests don’t stop at your browser,” said Hancock, pointing to smartphone apps as one example of non-browser requests.
She believes that the next big privacy frontier is mobile, and that technologies such as end-to-end encryption can provide a more secure experience.
“Our internet use expands beyond laptops now, so we have to look at those platforms as well.”