Today we’re proud to announce the launch of a new version of HTTPS Everywhere,
2018.4.3, which brings with it exciting new features. With this newest update, you’ll receive our list of HTTPS-supporting sites more regularly, bundled as a package that is delivered to the extension on a continual basis. This means that your HTTPS-Everywhere-protected browser will have more up-to-date coverage for sites that offer HTTPS, and you’ll encounter fewer sites that break due to bugs in our list of supported sites. It also means that in the future, third parties can create their own list of URL redirects for use in the extension. This could be useful, for instance, in the Tor Browser to improve the user experience for
.onionURLs. This new version is the same old extension you know and love, now with a cleaner behind-the-scenes process to ensure that it’s protecting you better than ever before.
How does it work?
You may be familiar with our popular browser extension, available for Firefox, Chrome, Opera, and the Tor Browser. The idea is simple: whenever a user visits a site that we know offers HTTPS, we ensure that their browser connects to that site with the security of HTTPS rather than insecure HTTP. This means that users will have the best security available, avoiding subtle attacks that can downgrade their connections and compromise their data. But knowing is half the battle. Keeping the list of sites that offer HTTPS updated is an enormous effort, comprising a collaboration between hundreds of contributors to the extension and a handful of active maintainers to craft what are known as HTTPS Everywhere’s “rulesets.” At the time of writing, there are over 23,000 ruleset files – each containing at least one domain name (or FQDN, like
We’ve modified the extension to periodically check in with EFF to see if a new list is available.
Why go through all this trouble to maintain a list of sites supporting HTTPS, instead of just defaulting to HTTPS? Because a lot of sites still only offer HTTP. Without knowing that a site supports HTTPS, we’d have to try HTTPS first, and then downgrade your connection if it’s not available. And for a network attacker, it’s easy to fake the browser into thinking that a site does not offer HTTPS. That’s why downgrading connections can be dangerous – you can fall right into the trap of an attacker. HTTPS Everywhere forces your browser to use the secure endpoint if it’s on our list, thus ensuring that you’ll have the highest level of security available for these sites.
Ordinarily, we’ll deliver this ruleset list bundled with the extension when you install or update it. But it’s a lot of work to release a new version just to deliver a new list of rulesets to you! So we’ve modified the extension to periodically check in with EFF to see if a new list is available. That way you’ll get the newest ruleset list in a timely manner, without having to wait for a new version to be released. In order to verify that these are the authentic EFF rulesets, we’ve signed them so that your browser can check that they’re legitimate, using the Web Crypto API. We’ve also made it easy for developers and third parties to publish their own rulesets, signed with their own key, and build that into a custom-made edition of HTTPS Everywhere. We’ve called these “update channels,” and the extension is capable of digesting multiple update channels at the same time.
This is just the start
In the future, we plan to build on this feature, making it easy for users to modify the set of update channels they digest in their own HTTPS Everywhere instance. This will entail building out a nicer user experience to modify, delete, and edit update channels.
The fact is that only a small subset of the ruleset files change in a given time. So we’ll also be researching how to safely deliver to your browser only the changes between one edition of the rulesets and the next. This will save you a lot of bandwidth, which is especially important in contexts where your ISP provides a slow or throttled connection.
Today, as always, we aim to better your browsing experience by protecting your data with this latest release. We’re excited to use bring you these new features, just as we’ve been glad to keep your browsing safe ever since we launched HTTPS Everywhere in 2010.
We’d like to thank Fastly for providing the bandwidth necessary to deliver our ruleset updates.