I would like to know if one should use 'HTTPS everywhere' extension? Is it secure to use it? Are there any better alternatives?
HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. Encrypt the web: Install HTTPS Everywhere today.
EFF is a highly respected organization dedicated to protecting privacy in electronic communications. It would be against their interests to jeopardize people's privacy through their products.
You can also use NoScript to ensure your connections are over https. NoScript also comes with a tonne of other defences that include XSS protection, Clickjacking detection, ABE (kinda like a firewall in your browser) and many more. NoScript has been around for years and it's highly regarded and respected.
As I replied before, you should understand that you can still use SSLstrip against HTTPS Everywhere. By searching a bit, I also came across this link and this test (related to the previous link), it seems that HTTPSEverywhere does not protect you against spoofing attacks. Related to this topic, I could also find this one which contains a lot of good information, and this one on how to protect from sslstrip attacks.
Have fun reading ;)
I think this extension is quite simple and generally safe to use for two reasons:
Firstly, on Q. When does HTTPS Everywhere protect me? When does it not protect me? section on HTTPS Everywhere website FAQ page
HTTPS Everywhere depends entirely on the security features of the individual web sites that you use; it activates those security features, but it can't create them if they don't already exist.
This means the extension simply turn on HTTPS automatically if possible and does not communicate between the user's browser and the website.
Secondly, it is open sourced and the source code is public. It means anyone can access and read how the extension works if possible.
However, in my opinion, the description of the extension seems misleading, because it claims to 'encrypts your communications' on their website. This extension simply switches from http to https if possible and doesn't do anything with the transmission of the data.
HTTPS Everywhere is a great feature but the issue I see is that it have dependency on the user browser and type of browser. Moreover if will be really tough to manage mobile and tablets browser.
It will be ideal if we handle HTTPS enforcement from your server itself. If you are hosting a very confidential portal, then you can go for secure session for all the pages (servlets etc) else you can enforce them on particular pages as well. I think we are bound to ensure the transport layer security when ever it is required from the server side itself. Hence pages where login/authenticate or confidential user data is displayed should be protected using HTTPS and the calling the link using HTTP should be denied by the server.
Sometimes it makes a sense not to enforce secure session for all pages or data for example images, as the session overhead will consume more bandwidth both for client and server.
As far security of HTTPS Everywhere is concerned, It could be secured but than you can't rely on its behavior and properties for security enforcement. Both ways you need to ensure that confidential pages or authentication pages have to go through HTTPS channel which is enforced from your server.
