The Firefox add-on Firesheep has demonstrated the vulnerability of insecure connections with a bang. Users who use an unencrypted connection to access sites and services on public networks may have their information recorded by other users who record the network traffic. To put it in layman terms: You may be vulnerable to this kind of data snooping if you see http and not https in your browser’s address bar.
Http is bad and https is good for privacy and security reasons. That’s all there is to it. Most services allow both http and https connections to their sites, Facebook is an example. There are services, like Gmail, Google’s email service, that only allows https connections and will redirect http requests to https for increased security and privacy.
This tutorial takes a look at some of the possibilities to force https connections:
The NoScript add-on is the best option for the Firefox web browser. The add-on’s primary function is to block scripts from being executed automatically. It offers however several options to improve security further, with one of them offering to configure the browser to always use https connections for specific sites. To open the listing, click in Options on the status bar icon, then Advanced > HTTPS in the NoScript Options window.
Here it is possible to add sites where https should always or never be used. Facebook users would simply add facebook.com in the force text area. All connections to facebook.com from that moment on will be automatically redirected to https. A user entering http://www.facebook.com/ in the browser to log into Facebook will be redirected to https://www.facebook.com/ automatically. The same is true for all other pages on facebook.
As far as I know, there is not a comparable solution for the Google Chrome browser. There are however a few alternatives. The first is explained in the article Use Google Chrome For Secure Web Browsing. Google Chrome has a startup parameter called –force-https. If you start Chrome with that parameter only https connections are allowed. This makes the majority of websites inaccessible on the other hand.
Chrome does have a few extensions that force SSL for specific sites. Extensions are for instance available for Facebook
Use HTTPS is a Chrome extension that can be used to configure specific sites to always use HTTPS connections.
Opera 11 alpha which has been released recently supports extensions. One of the extensions that is available for the web browser is Security Enhancer, which forces https connections on a few sites including twitter and several Google services. The extension has a bug currently where the http page is fully loaded before the redirection to the https page. There is also no option to add other sites to the listing.
Still, considering that it is an early version there is hope that the developer continues to improve the extension to resolve the bug and add customization.
There is a user script for Internet Explorer to force https on Facebook, but that’s it. There does not seem to be another option.
Firefox and Google Chrome benefit immensely from add-ons and extensions. In this case, they are the only two browsers with options to force https connections on custom websites. Opera is going to get an extension eventually that will add this functionality as well.