"HTTPS Now" campaign launched to protect internet security
The San Francisco based Electronic Frontier Foundation (EFF) citizens' rights organisation and the Access digital freedom organisation have announced the launch of new international campaign. Called "HTTPS Now", the campaign is aimed at rallying consumers from around the globe to take an active role in making web surfing safer and more secure.
According to EFF Activist Eva Galperin, the organisations hope that the campaign will spread the word about HTTPS and how to use it correctly, noting that, "HTTPS provides the minimum level of security for websites. Without it, no site can make any meaningful security or privacy guarantees to its users". When connecting via an HTTPS connection, users send their data securely via SSL (Secure Sockets Layer). This means that even cookies are transmitted in encrypted form and can no longer be read and exploited for fraudulent activities by attackers using such tools as the Firesheep extension for Firefox. Firesheep can be used by attackers on the same network as a victim to view the credentials for their online accounts when the victim is not using HTTPS.
As a "first step", the two organisations encourage individuals using the web to install HTTPS Everywhere, a Firefox extension developed by EFF and the Tor Project which encrypts a user's browsing, automatically switching to HTTPS whenever possible. However, as pointed out by the EFF, many sites have not yet deployed HTTPS, leaving their visitors vulnerable to attack. As such, the organisations ask users to let them know if the sites that they are visiting use HTTPS. By using crowd-sourcing, they hope to gain "a relatively accurate picture of the current state of HTTPS deployment and Internet security".
Discussing the campaign, Jochai Ben-Avie of Access said, "We want to make it easier for web users to get the security they need and deserve, but we can't do it alone," adding that, "We need an accurate picture of the state of HTTPS on the Internet. After that, we can target website operators and make it easy for them to update their sites."
In mid-March of this year, the Twitter micro-blogging service added support for an "Always use HTTPS" option. Just two months before that, the Facebook social networking site also began offering the option of completely encrypted communication. Upon further inspection it was discovered that Facebook's HTTPS workaround was rather crude; if users clicked a link to a Facebook app, the site would ask them if they wanted to switch to a standard HTTP connection as the content they wanted to display could not be displayed using HTTPS. Once users clicked continue, the site completely disabled the HTTPS option under account settings in the background without indicating to users that it would do so.
- EFF: More than 80% of browsers have trackable signatures, a report from The H.
- EFF casts doubt on security of SSL against eavesdropping, a report from The H.