Tuesday, June 22, 2010

Firefox offers "https everywhere" protection for web surfing (EFF has article, links)

Peter Eckersley has an important piece on the Electronic Frontier Foundation (EFF) site today “Encrypt the Web with HTTPS Everywhere Firefox Extension”, link here.

The article provides a link to install an app that forces every web access from Firefox to presume that the access is encrypted. Once installed, unencrypted sites will provoke a warning with Firefox allows you to override (the security certificate check) if you trust the site.

The article warns that https access from sites that say they have security certificates do not always have completely adequate encryption.

The feature would be particularly helpful in wireless environments, particularly when “on the road”. Windows firewall has been criticized as not able to protect users from tapping of unencrypted output from their computers. (Home wireless networks, which Comcast and other isp’s are encouraging customers to install, raise a good security question, since their router range can be considerable, although in residential areas the risk is probably rather minimal. It’s a good idea to pay attention to physical traffic in your neighborhood, as good home security requires anyway. Another remote risk is that a parked party could monopolize your bandwidth; I’ll look in to how to check for unauthorized remote access to your home network later.)

My own doasktotell.com does not have a security certificate because it never collects personal information, does not require a user login, and in particular does not process credit cards. (All my commercial activity goes to third party sites like bn, amazon, and iuniverse.)

You must actually access the EFF link from (while browsing from) Firefox to install the “sub-app” (an xpi file) successfully. From IE, Windows Vista cannot figure out what kind of file xpi is. You don’t get prompted to restart the machine, but that’s probably a good idea, since it would have to change your registry. The sub-app also works on the Mac.

I suspect that Microsoft will soon offer a similar feature for IE with a scheduled security update (for Vista, 7, and XP). It will probably be a large and somewhat complicated update.

No comments: