August 4th, 2011
Firefox Extension Defends Against Search Hijacking Schemes and Improves Web Security
San Francisco - The Electronic Frontier Foundation (EFF), in collaboration with the Tor Project, has launched an
official 1.0 version of HTTPS Everywhere, a tool for the Firefox web browser that helps secure web browsing by
encrypting connections to more than 1,000 websites.
HTTPS Everywhere was first released as a beta test version in June of 2010. Today's 1.0 version includes support for
hundreds of additional websites, using carefully crafted rules to switch from HTTP to HTTPS. HTTPS protects against
numerous Internet security and privacy problems, including the search hijacking on U.S. networks that was revealed by an
article published today in New Scientist magazine. The article, entitled "US internet providers hijacking users' search
queries," documents how a company called Paxfire has been intercepting and altering search traffic on a number of ISPs'
networks. HTTPS can prevent such attacks.
"HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are
displayed," said EFF Senior Staff Technologist Peter Eckersley. "Without HTTPS, your online reading habits and
activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking. Today's Paxfire revelations
are a grand example of how things can go wrong. EFF created HTTPS Everywhere to make it easier for people to keep their
user names, passwords, and browsing histories secure and private. With the revelation that companies like Paxfire are
out there, intercepting millions of people's searches without their permission, this kind of protection is
indispensable."
HTTPS Everywhere 1.0 encrypts connections to Google Image Search, Flickr, Netflix, Apple, and news sites like NPR and
the Economist, as well as dozens of banks. HTTPS Everywhere also includes support for Google Search, Facebook, Twitter,
Hotmail, Wikipedia, the New York Times, and hundreds of other popular websites.
However, many websites have not implemented HTTPS at all. On sites that are HTTP-only, users still have to live with
lower levels of privacy and security.
"More websites should implement HTTPS to help protect their users from identity theft, viruses, and other security
threats," said Senior Staff Technologist Seth Schoen. "Our Firefox extension is able to protect people using Google,
DuckDuckGo or StartingPage for their searches. But we currently can't protect Bing and Yahoo users, because those search
engines do not support HTTPS."
HTTPS Everywhere has been downloaded millions of times since last year's initial beta release.
To download HTTPS Everywhere for Firefox:
For more on implementing HTTPS in websites:
ENDS