The Problem
You've probably read in the news about a Firefox extension called "Firesheep". It has been developed by Eric Butler and recently presented at ToorCon, pretty much to demonstrate a rather obvious thing: if a website which handles passwords or other sensitive bits doesn't enforce HTTPS encryption all over its domain, rather than just on login pages like many do (including Facebook and other popular social networks), your data can be easily sniffed and reused by malicious third parties. Furthermore, under specific circumstances (e.g. when you use a TOR), a MITM attacks can silently redirect you to a fake HTTP version of the site, and there's not much a web site can do about this without client's help, other than consistently using HTTPS-only cookies.
HSTS To The Rescue!
What you may or may not know is that a technology called HSTS (HTTP Strict Transport Security) has been designed, mainly after Paypal's input, in order to help websites make HTTPS setup more reliable and safe against hijacking attacks. HSTS has been implemented by NoScript and by the Chrome web browser more than one year ago, and it's currently shipping also in Firefox 4 betas and development builds.
HSTS is a passive security enhancer, though, because it needs websites to opt-in by sending a Strict-Transport-Security HTTP header, which asks the browser to automatically "upgrade" every subsequent request for the same site to secure connections (HTTPS), no matter if it had been initiated as plain HTTP.
Being Proactive
Since HSTS is really simple and easy to understand, it would be wonderful if every web site supporting HTTPS deployed HSTS too. Regrettably we're not there yet: www.paypal.com (quite obviously) and secure.informaction.com are among the very few which already do, but for instance addons.mozilla.org currently doesn't, nor does Google itself.
Fortunately NoScript, for more than two years now, has also allowed us to manually select the web sites which we want to browse via HTTPS only, by adding them in the NoScript Options|Advanced|HTTPS panel. Of course not all the web sites like to have HTTPS pushed down their throats, so you should pick only those already supporting HTTPS, and still may expect a tiny few of them to misbehave. However your online banking, your webmail and the aforementioned addons.mozilla.org are probably great candidates to be added in NoScript's "force HTTPS" list right now.
October 27th, 2010 at 12:39 am
How can I test to make sure that the 'force HTTPS' list is actually working?
Thanks!
Greg
October 27th, 2010 at 12:46 am
@Greg:
Supposing you added .somesite.com (which is a shortcut for "somesite.com *.somesite.com"), you can try opening http://www.somesite.com and check whether it gets automatically upgraded to https://www.somesite.com.
October 27th, 2010 at 3:11 am
In the mean time, here's an interesting add-on for Firefox, to enforce HTTPS on sites that have it, but haven't, and maybe will never implement HSTS.
https://www.eff.org/https-everywhere
It's partialy based on NoScripts system. And it allows you to write your own rules: https://www.eff.org/https-everywhere/rulesets
October 27th, 2010 at 4:35 am
Another useful Firefox extension for this is HTTPS Everywhere (released by the Electronic Frontier Foundation):
https://www.eff.org/https-everywhere/
It automatically redirects a number of well-known sites to their HTTPS equivalents.
October 27th, 2010 at 12:52 pm
bugzilla.mozilla.org also sets STS headers, of course.
My old banking website didn't have an HTTP version. I don't know if that made it any more secure. (The new one silently redirects to the secure login page.)
October 27th, 2010 at 6:46 pm
To be fair, the spec is based on the earlier work by Adam Barth and Collin Jackson, who really came up with the idea.
October 27th, 2010 at 8:40 pm
@Andy Steingruebl:
Ah ah, to be further fair, the idea of using a dedicated header and an ad-hoc persistence mechanism, instead of Adam & Colin's cookie-based approach, actually came out from a discussion between you and me, BTW :)
October 28th, 2010 at 2:07 pm
Force-TLS (firefox extension)
google it
doesn't require rules
October 28th, 2010 at 2:16 pm
I've been using NoScript to force HTTPS at several sites for a long while, but I hadn't thought of addons.mozilla.org. Thanks!
October 28th, 2010 at 2:24 pm
@rasg:
Force-TLS is a HSTS implementation, just like NoScript: both don't require rules as long as web sites cooperate, but if the web site is not HSTS-aware (i.e. the vast majority, at this moment), you may want to manually force them, and NoScript gives you this extra flexibility and more.
October 28th, 2010 at 7:34 pm
Hi Giorgio,
Any chance you'll be developing NoScript for Opera 11?
October 28th, 2010 at 7:39 pm
@keyzer:
It's not easy, but at this moment it's a bit more likely than doing it for Chrome, from a technical standpoint (the relevant APIs are slightly better in Opera).
However Firefox as a platform is definitely unbeatable: other extensions architectures are still a joke, in comparison.
October 29th, 2010 at 2:29 am
I entered http://www.dslreports.com into the NoScript HTTPS secure connections list and cannot access that site unless I remove it from the list. Why is this?
October 29th, 2010 at 7:53 am
@Matt:
That's because, unfortunately, https://www.dslreports.com does not work, i.e. DSL Reports' guys did not setup any encryption support at all.
There's nothing you can do about it, except pushing theadministrators to change their mind, if you really think there's something valuable in the traffic you exchange with that website which needs to be protected agianst eavesdroppers.
October 30th, 2010 at 1:46 am
Under HTTPS, Behavior should the drop down box above the forced site listings be on "always" or on "never"?
October 30th, 2010 at 2:40 am
@Matt:
Never, unless you know exactly what you're doing.
October 31st, 2010 at 4:42 pm
Does NoScript also handle the problems mentioned in this article, i.e. plain HTML js requests?
http://www.digitalsociety.org/2010/10/even-forced-ssl-is-broken-for-facebook-google-twitter/
October 31st, 2010 at 4:56 pm
@Yonatan Amir:
Yes it does, because it forces every single request and subrequest of any kind, including scripts, images, stylesheets and so on.
November 4th, 2010 at 12:10 am
Great, now we just need something like the Certificate Patrol extension but better working (and for all requests).
November 5th, 2010 at 6:58 am
@Giorgio, HTTPS Everhwyere and Force-TLS both allow you to actually force ssl, and sites wont work unless they support ssl completely. How is the NoScript functionalty actually different from this? You say "Yes it does, because it forces every single request and subrequest of any kind, including scripts, images, stylesheets and so on." but the same is true for the other extensions, right?
November 5th, 2010 at 9:45 am
@Bob:
Yes, HTTPS Everywhere (obviously since it's based on NoScript's code) and ForceTLS (which, uses a different and rather invasive method which causes subtle bugs) are equally effective in turning every request to SSL.
George Ou's article which I was answering to, though, talked about a "Force HTTPS" Chrome extension which is completely unreliable, thanks to the usual limitations in Chrome's extension API.
November 5th, 2010 at 9:04 pm
@Bob: On an interesting note, the original HTTPS enforcement functionality of NoScript wouldn't work this way.
December 1st, 2010 at 8:30 pm
It seems like NoScript offers a middle-ground, called "Enable Automatic Secure Cookies Management" where encryption is forced for cookies, but the rest of the page is not. Do I understand that correctly?
Specifically regarding the prevention of cookie hijacking attacks, is forcing cookie encryption as good as forcing HTTPS for all elements? I understand the content of the page would not necessarily be encrypted, but if the cookies are, isn't that good enough to stop hijacking? Given that full encryption fails on so many sights, I wonder if this isn't the most widely implementable compromise?
December 15th, 2010 at 6:11 pm
noscript is awesome!!!
please add support for firefox 4 beta 8 (mac)...... testing it out now. blazing fast, even compared to beta 7!
keep up the good work and happy holidays!