Electronic Frontier Foundation will deprecate HTTPS Everywhere plugin


Enlarge / We had trouble even finding HTTPS statistics earlier than 2016—but even in 2016, fewer than one in four websites were delivered via HTTPS.

Last week, the Electronic Frontier Foundation announced that it will deprecate its HTTPS Everywhere browser plugin in 2022. Engineering director Alexis Hancock summed it up in the announcement’s own title: “HTTPS is actually everywhere.”

The EFF originally launched HTTPS Everywhere—a plugin which automatically upgrades HTTP connections to HTTPS—in 2010 as a stopgap measure for a world that was still getting accustomed to the idea of encrypting all web-browser traffic.

When the plugin was new, the majority of the Internet was served up in plaintext—vulnerable to both snooping and manipulation by any entity which could place itself between a web-browsing user and the web servers they communicated with. Even banking websites frequently offered unencrypted connections! Thankfully, the web-encryption landscape has changed dramatically in the 11 years since then.

We can get some idea of just how far the protocol has come by looking at HTTP Archive’s State of the Web report. In 2016—six years after HTTPS Everywhere first launched—the HTTP Archive recorded encrypted connections for fewer than one site in every four it crawled. In the five years since, that number has skyrocketed—as of July, the Archive crawls nine of every 10 sites via HTTPS. (Google’s Transparency Report shows a similar progression, using data submitted by Chrome users.)

Although the increased organic HTTPS adoption influenced the EFF’s decision to deprecate the plugin, it’s not the only reason. More importantly, automated upgrade from HTTP to HTTPS is now available natively in all four major consumer browsers—Microsoft Edge, Apple Safari, Google Chrome, and Mozilla Firefox.

Unfortunately, Safari is still the only mainstream browser to force HTTPS traffic by default—which likely informed the EFF’s decision to retire HTTPS Everywhere until next year. Firefox and Chrome offer a native “HTTPS Only” mode which must be user-enabled, and Edge offers an experimental “Automatic HTTPS” as of Edge 92.

If you’d like to enable HTTPS Only / Automatic HTTPS natively in your browser of choice today, we recommend visiting the EFF’s own announcement, which includes both step-by-step instructions and animated screenshots for each browser. After enabling your browser’s native HTTPS upgrade functionality, you can safely disable the soon-to-be-deprecated HTTPS Everywhere plugin.

Listing image by Rock1997 / Wikipedia



Source link