Stump the Geeks

Software provides another layer of online security

stumpthegeeks@newsobserver.comOctober 28, 2012 

In last week’s column, I mentioned a handy cloud storage tool called SpiderOak designed to secure the files you store online.

But file storage accounts for only a fraction of your online life, the majority of which is – by default at least – vulnerable to prying eyes. That’s where HTTPS Everywhere, a free browser extension for Firefox and Chrome, comes in.

Created by the nonprofit digital rights advocacy group Electronic Frontier Foundation, HTTPS Everywhere forces your browser to view Web pages using HTTP Secure, an encrypted technique that can prevent a host of problems when your computer talks with servers that store Web content.

The software doesn’t provide complete security (no solution really can), but its creators say it’s a big step toward fixing the sorry state of online safety.

That modern Internet security is a bit lackadaisical isn’t exactly by design, says EFF Technology Projects Director Peter Eckersley.

“The Web was designed in a very sort of cloistered, academic environment. It was a research project, essentially,” Eckersley said. “No one back in that time was designing for a medium that we use for our most sensitive communications.”

Stops intruders

He’s not just talking about credit-card numbers (online purchases, for the most part, already employ HTTPS). Even basic users now rely on the Web for banking, medical advice and activism.

“Those things are often more confidential than your credit-card number,” Eckersley said. “After all, any clerk at a department store can see your credit card number.”

The solution, he says, is to get websites and the companies behind them to adopt HTTPS more widely, even for basic browsing.

By adding a layer of encryption to the more common HTTP, or hypertext transfer protocol, HTTPS scrambles the data that describe both what you’re seeing on a page and how you interact with it. It also forces the browser to verify that the site you’re visiting really is Google or Facebook and not some impersonator.

Eckersley said taking these steps can stop intruders from intercepting the information you’re sending and receiving, whether that malicious user is connected to your wireless network or between you and your Internet service provider.

“With HTTPS, if it’s working correctly, the only thing an outside observer can see is what site you’re talking to,” Eckersley said.

Expanding its reach

While the EFF has long lobbied for companies to employ HTTPS by default (with some success), Eckersley said the group launched HTTPS Everywhere to retrofit security and privacy onto websites without it.

But it’s not just as easy as adding an “s” into a site’s address. By tapping into the open-source community, EFF has curated a collection of instructions written by developers that help the browser to plug-in display sites with the added security layer. If a site isn’t supported and doesn’t display correctly, users can turn HTTPS Everywhere off by clicking on a logo in their address bar.

“It’s sort of like fixing the security of the Web with duct tape,” Eckersley said.

HTTPS Everywhere supports more than 3,000 sites already, which Eckersley said will put it in line to encrypt trillions of Web requests in the next year.

Some of those requests should be yours.

“We wouldn’t let people we’ve never met sit in our living rooms and watch what we’re doing,” Eckersley said. “Why would we let people who are just as much strangers build big databases of what we’re doing (on) our laptops, in our living rooms?”

Send technology questions to Please include your name, city and daytime phone number. Sorry, we can’t answer every question.

News & Observer is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service