30 Sep 2021
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
The Electronic Frontier Foundation (EFF) has announced the deprecation of the HTTPS Everywhere plug-in. Instead it recommends that users enable HTTPS-only modes provided by modern browsers.
HTTPS Everywhere is a popular and commonly recommended security plug-in for browsers. It comes with a list of sites that support HTTPS and will make sure that the browser will redirect users to the HTTPS version if available.
While this improved security and avoided some unencrypted and unprotected connections, it has limitations. For example, it only redirects users for hosts included in the plug-in’s list.
Lately, major browser vendors have implemented HTTPS-only modes, starting with Firefox last year. Chrome and Edge also have added similar features. While similar in their goal, these HTTPS-only modes work differently than the HTTPS Everywhere plug-in.
By default, they don’t automatically connect to those hosts that only offer HTTP at all. In this mode, browsers will only connect via HTTP after manual confirmation by the user. This approach only became feasible because large parts of the web are now encrypted by default.
In a sense, the deprecation of HTTPS Everywhere shows how far the HTTPS-only web has come. The HTTPS Everywhere plug-in is thus no longer needed due to the success of its original idea.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.