HTTPS Everywhere: Force Open Secure Connection in Firefox and Chrome

It is a well-known fact that unprotected HTTP protocol is prone to hijacks, HTTPS provides better security.  However, while some web sites support HTTPS protocol, only HTTP is set as default.  Some web sites provides HTTPS protocol support but the pages also contain links to unprotected HTTP pages.

Today’s featured browser extension is HTTPS Everywhere, one that forces your Firefox and Chrome web browser to use HTTPS protocol on supported web sites.


HTTPS Everywhere: Auto-rewrite of Requests to HTTPS

HTTPS Everywhere - Electronic Frontier Foundation

HTTPS Everywhere has a Firefox add-on as well as a Chrome extension.  What it does is to automatically re-write all requests to unsecured HTTP pages to HTTPS, if HTTPS is supported.  Currently over 1400 web sites are supported, on these web sites this tool knows where to enable HTTPS on all supported parts of the site.  In other words, HTTPS Everywhere does not create the security features, it only enables them when available, so that you don’t have to find the link to secured log-in or the option to enable HTTPS protocol.

The new Chrome extension is currently in beta version.  The Firefox version has one particularly useful feature that is yet to appear in Chrome, Decentralized SSL Observatory.  This function, once enabled, detects encryption weaknesses and tells you when you browse a web site with a security vulnerability.  In other words, it points out security issued as you surf.  This is useful to web surfers as well as web designers who could quickly identify potential security holes.


Official Site:

Google Chrome Tutorial: Force Chrome to open web sites in https protocol

Some web sites support both HTTP and HTTPS protocols.  If you are unsure what they are, a brief explanation is that the HTTP is a network communication protocol that the web uses, and HTTPS is the combination of HTTP and SSL/TLS protocol (something for encrypted communication).  In even simpler terms, HTTPS generally gives better data protection.

Force https in Chrome

If you wish to force Chrome to open web sites in https protocol (provided that the web site supports it), apart from installing extensions, here is another method:

  1. open chrome://net-internals/ in the address bar
  2. go to the HSTS tab
  3. under Add domain, enter the domain name which you want Chrome to always open with https protocol (for example,
  4. check Include subdomains
  5. done!

If for some reasons you want to cancel this, scroll a bit down on the same page, find the Delete domain section, enter the domain name you want to remove from the https list and click Delete.


source +Andy WU, via Chromi

Chrome 14 to add insecure script blocking for security, IE had that already

To fix a potential security loophole that many web sites have, Google will add a new feature, blocking of insecure javascripts, to Chrome 14.  This happens when a HTTPS web site loads javascripts from a HTTP source.  Attackers could intercept the HTTP resource load and take control of the web site if the javasript contains security errors.

Mixed Script in Chrome

Currently if you see the above on the address bar, it is a notification by Chrome telling you that the web site you are viewing has mixed scripts.

Block insecure script info bar

In Chrome 14 we are going to see something different.  When insecure javascript is detected, Chrome would block it automatically and display a notification as an info bar.  You have the options to appreciate Chrome’s thoughtfulness or to accept the script anyway.

For web developers, Chrome 14 logs the problem in Javascript console (Menu -> Tools -> JavaScript Console) like this:

mixed script console in Chrome

Since the first Chrome 14 canary release (14.0.785.0) this insecure script blocking feature has been enabled by default.

According to thechromesource, this feature was first found in Internet Explorer.  Google copying from Microsoft?  Yes.


source Google Online Security Blog, via thechromesource

Chrome 12 Released, A Safer and Snazzier Browser

Shaun the Sheep - Hardware-accelerated 3D CSS experiment for Chrome browser

(Image via Google Chrome Blog)

Google released Chrome 12, the latest version of its popular Chrome browser.  Google has been releasing a major update once every 6 weeks (Chrome 10 on 3 Mar and Chrome 11 on 28 Apr).

The first major change is an improvement to the Safe Browsing technology.  From now on Chrome would warn you if you are trying to download a malicious file.  This is done behind the scene, Chrome or Google does not know the URL you are visiting or the file you download, thus privacy is protected.

Google also added an option to remove data that extensions left, including Flash player (local shared objects, LSO).  These flash cookies, if improperly exposed, may let other people know which flash video you have watched or which flash game you have played.  In the past removal of these data could only be done through Adobe’s website.  It is now enabled in Chrome browser.

The final major change in Chrome is the support for hardware-accelerated 3D CSS.  You get “snazzier” experience when browser web pages and using web apps that enabled hard-accelerated 3D effects.  You can try it through this experimental web site on Windows Vista or Mac OS X 10.6 or above.

As usual the browser updates itself so users are not required to download this update (unless you are using portable versions created by others).

via Google Chrome Blog

Related Posts Plugin for WordPress, Blogger...