The Problem

You’ve probably read in the news about a Firefox extension called “Firesheep”. It has been developed by Eric Butler and recently presented at ToorCon, pretty much to demonstrate a rather obvious thing: if a website which handles passwords or other sensitive bits doesn’t enforce HTTPS encryption all over its domain, rather than just on login pages like many do (including Facebook and other popular social networks), your data can be easily sniffed and reused by malicious third parties. Furthermore, under specific circumstances (e.g. when you use a TOR), a MITM attacks can silently redirect you to a fake HTTP version of the site, and there’s not much a web site can do about this without client’s help, other than consistently using HTTPS-only cookies.

HSTS To The Rescue!

What you may or may not know is that a technology called HSTS (HTTP Strict Transport Security) has been designed, mainly after Paypal’s input, in order to help websites make HTTPS setup more reliable and safe against hijacking attacks. HSTS has been implemented by NoScript and by the Chrome web browser more than one year ago, and it’s currently shipping also in Firefox 4 betas and development builds.

HSTS is a passive security enhancer, though, because it needs websites to opt-in by sending a Strict-Transport-Security HTTP header, which asks the browser to automatically “upgrade” every subsequent request for the same site to secure connections (HTTPS), no matter if it had been initiated as plain HTTP.

Being Proactive

Since HSTS is really simple and easy to understand, it would be wonderful if every web site supporting HTTPS deployed HSTS too. Regrettably we’re not there yet: www.paypal.com (quite obviously) and secure.informaction.com are among the very few which already do, but for instance addons.mozilla.org currently doesn’t, nor does Google itself.

Fortunately NoScript, for more than two years now, has also allowed us to manually select the web sites which we want to browse via HTTPS only, by adding them in the NoScript Options|Advanced|HTTPS panel. Of course not all the web sites like to have HTTPS pushed down their throats, so you should pick only those already supporting HTTPS, and still may expect a tiny few of them to misbehave. However your online banking, your webmail and the aforementioned addons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now.

24 Responses to “Forcing HTTPS with NoScript”

  1. #1 Greg says:

    How can I test to make sure that the ‘force HTTPS’ list is actually working?

    Thanks!
    Greg

  2. #2 Giorgio says:

    @Greg:
    Supposing you added .somesite.com (which is a shortcut for “somesite.com *.somesite.com”), you can try opening http://www.somesite.com and check whether it gets automatically upgraded to https://www.somesite.com.

  3. #3 Silverburn says:

    In the mean time, here’s an interesting add-on for Firefox, to enforce HTTPS on sites that have it, but haven’t, and maybe will never implement HSTS.

    https://www.eff.org/https-everywhere

    It’s partialy based on NoScripts system. And it allows you to write your own rules: https://www.eff.org/https-everywhere/rulesets

  4. #4 Francois Marier says:

    Another useful Firefox extension for this is HTTPS Everywhere (released by the Electronic Frontier Foundation):

    https://www.eff.org/https-everywhere/

    It automatically redirects a number of well-known sites to their HTTPS equivalents.

  5. #5 Neil Rashbrook says:

    bugzilla.mozilla.org also sets STS headers, of course.

    My old banking website didn’t have an HTTP version. I don’t know if that made it any more secure. (The new one silently redirects to the secure login page.)

  6. #6 Andy Steingruebl says:

    To be fair, the spec is based on the earlier work by Adam Barth and Collin Jackson, who really came up with the idea.

  7. #7 Giorgio says:

    @Andy Steingruebl:
    Ah ah, to be further fair, the idea of using a dedicated header and an ad-hoc persistence mechanism, instead of Adam & Colin’s cookie-based approach, actually came out from a discussion between you and me, BTW :)

  8. #8 rasg says:

    Force-TLS (firefox extension)

    google it

    doesn’t require rules

  9. #9 Rob says:

    I’ve been using NoScript to force HTTPS at several sites for a long while, but I hadn’t thought of addons.mozilla.org. Thanks!

  10. #10 Giorgio says:

    @rasg:
    Force-TLS is a HSTS implementation, just like NoScript: both don’t require rules as long as web sites cooperate, but if the web site is not HSTS-aware (i.e. the vast majority, at this moment), you may want to manually force them, and NoScript gives you this extra flexibility and more.

  11. #11 keyzer says:

    Hi Giorgio,
    Any chance you’ll be developing NoScript for Opera 11?

  12. #12 Giorgio says:

    @keyzer:
    It’s not easy, but at this moment it’s a bit more likely than doing it for Chrome, from a technical standpoint (the relevant APIs are slightly better in Opera).

    However Firefox as a platform is definitely unbeatable: other extensions architectures are still a joke, in comparison.

  13. #13 Matt says:

    I entered http://www.dslreports.com into the NoScript HTTPS secure connections list and cannot access that site unless I remove it from the list. Why is this?

  14. #14 Giorgio says:

    @Matt:
    That’s because, unfortunately, https://www.dslreports.com does not work, i.e. DSL Reports’ guys did not setup any encryption support at all.
    There’s nothing you can do about it, except pushing theadministrators to change their mind, if you really think there’s something valuable in the traffic you exchange with that website which needs to be protected agianst eavesdroppers.

  15. #15 Matt says:

    Under HTTPS, Behavior should the drop down box above the forced site listings be on "always" or on "never"?

  16. #16 Giorgio says:

    @Matt:
    Never, unless you know exactly what you’re doing.

  17. #17 Yonatan Amir says:

    Does NoScript also handle the problems mentioned in this article, i.e. plain HTML js requests?
    http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/

  18. #18 Giorgio says:

    @Yonatan Amir:
    Yes it does, because it forces every single request and subrequest of any kind, including scripts, images, stylesheets and so on.

  19. #19 Karl Muggel says:

    Great, now we just need something like the Certificate Patrol extension but better working (and for all requests).

  20. #20 Bob says:

    @Giorgio, HTTPS Everhwyere and Force-TLS both allow you to actually force ssl, and sites wont work unless they support ssl completely. How is the NoScript functionalty actually different from this? You say "Yes it does, because it forces every single request and subrequest of any kind, including scripts, images, stylesheets and so on." but the same is true for the other extensions, right?

  21. #21 Giorgio says:

    @Bob:
    Yes, HTTPS Everywhere (obviously since it’s based on NoScript’s code) and ForceTLS (which, uses a different and rather invasive method which causes subtle bugs) are equally effective in turning every request to SSL.

    George Ou’s article which I was answering to, though, talked about a “Force HTTPS” Chrome extension which is completely unreliable, thanks to the usual limitations in Chrome’s extension API.

  22. #22 Hanzi HInt says:

    @Bob: On an interesting note, the original HTTPS enforcement functionality of NoScript wouldn’t work this way.

  23. #23 Porcelain Mouse says:

    It seems like NoScript offers a middle-ground, called "Enable Automatic Secure Cookies Management" where encryption is forced for cookies, but the rest of the page is not. Do I understand that correctly?

    Specifically regarding the prevention of cookie hijacking attacks, is forcing cookie encryption as good as forcing HTTPS for all elements? I understand the content of the page would not necessarily be encrypted, but if the cookies are, isn’t that good enough to stop hijacking? Given that full encryption fails on so many sights, I wonder if this isn’t the most widely implementable compromise?

  24. #24 jack says:

    noscript is awesome!!!

    please add support for firefox 4 beta 8 (mac)…… testing it out now. blazing fast, even compared to beta 7!

    keep up the good work and happy holidays!

Bad Behavior has blocked 7160 access attempts in the last 7 days.