HTTPS Everywhere
HTTPS Everywhere was a free and open-source browser extension developed by the Electronic Frontier Foundation (EFF) in collaboration with the Tor Project to automatically redirect users to secure HTTPS versions of websites whenever possible, thereby encrypting web communications and protecting against eavesdropping, surveillance, and man-in-the-middle attacks.[1][2] Released as a public beta for Firefox in June 2010, the extension expanded to other browsers including Chrome and Opera, featuring community-maintained rulesets for specific sites and advanced modes like Encrypt All Sites Eligible (E.A.S.E.) to dynamically upgrade connections and resist downgrade attacks.[3] Over its decade of active development, HTTPS Everywhere played a pivotal role in advocating for and accelerating the adoption of HTTPS across the internet, influencing browser vendors to incorporate native encryption enhancements such as HTTPS-only modes.[3] By 2021, with HTTPS securing approximately 90% of web page visits and major browsers like Firefox, Chrome, and Edge offering built-in options to enforce secure connections by default, EFF deprecated the extension at the end of 2021, transitioning it to maintenance mode in 2022 before fully retiring it as redundant to modern web standards.[4][2]History
Origins and Initial Development
HTTPS Everywhere originated as a collaborative project between the Electronic Frontier Foundation (EFF) and the Tor Project to address the prevalence of unencrypted HTTP connections on the web, which exposed users to risks such as man-in-the-middle attacks and surveillance.[3][5] The initiative was motivated by the recognition that many websites supported HTTPS capabilities but defaulted to insecure HTTP, a gap highlighted in EFF's advocacy for broader encryption adoption following Google's introduction of encrypted search options in 2010.[5] Development focused on creating a Firefox browser extension that would automatically redirect traffic to HTTPS endpoints where available, thereby enforcing secure connections without requiring user intervention or site reconfiguration.[1] The public beta release occurred on June 17, 2010, marking the initial deployment as an experimental tool for Firefox users.[3] Early development emphasized the creation of site-specific rulesets—XML-based configurations defining HTTPS upgrade paths for popular domains—which were curated manually and distributed with the extension to ensure compatibility and functionality.[3] This ruleset mechanism relied on community input from the outset, with volunteers contributing mappings for additional sites, reflecting the project's open-source ethos and dependence on distributed expertise to scale coverage beyond what EFF and Tor developers could achieve alone.[3] By August 2011, the project advanced to its version 1.0 release, incorporating support for hundreds more sites and refinements based on beta feedback, such as improved handling of mixed-content scenarios to minimize breakage.[6] Initial testing and iteration occurred primarily within privacy-focused communities, including Tor Browser users, where the extension's integration helped propagate HTTPS upgrades amid growing concerns over ISP-level traffic analysis and certificate authority vulnerabilities.[3] This phase established the foundational architecture, prioritizing opt-in modes like "E.A.S.E." (Encrypt All Sites Eligible) to balance security gains against potential disruptions from incomplete site implementations.[3]Key Milestones and Updates
HTTPS Everywhere was initially released as a beta version for the Firefox browser in June 2010, developed collaboratively by the Electronic Frontier Foundation (EFF) and the Tor Project to automatically enforce HTTPS connections on supported websites.[3][7] A stable version 1.0 followed in 2011, expanding its ruleset to cover more sites.[8] Beta support for Google Chrome was added in February 2012, broadening compatibility beyond Firefox.[9] In April 2015, version 5 introduced thousands of new rulesets and interface translations into sixteen additional languages, enhancing global accessibility and coverage.[10] April 2018 brought continual ruleset updates, enabling more frequent delivery of HTTPS-supporting site lists without full extension downloads, improving responsiveness to web changes.[11] The Encrypt All Sites Eligible (E.A.S.E.) mode was implemented to dynamically upgrade eligible connections and resist downgrade attacks, while the ruleset redirect engine was rewritten in Rust and compiled to WebAssembly for greater efficiency.[3] By November 2020, the project marked its tenth anniversary, reflecting on its role in driving web encryption amid rising HTTPS adoption.[3] In September 2021, EFF announced the extension's entry into maintenance mode after December 31, 2021, citing native HTTPS-only modes in major browsers (e.g., Firefox, Chrome v94, Safari v15) and approximately 90% of web page visits using HTTPS, rendering the tool largely redundant.[4][2] The final release, version 2022.5.24, occurred on May 25, 2022, with improvements to E.A.S.E. mode and dependencies; the GitHub repository was archived on November 6, 2023, confirming retirement.[12]Technical Functionality
Ruleset Mechanism
The ruleset mechanism in HTTPS Everywhere operates by intercepting HTTP requests within the browser and applying predefined XML rulesets to rewrite them to HTTPS equivalents when supported by the target site.[13] Each ruleset targets specific domains or subdomains via regular expression patterns, enabling the extension to enforce encrypted connections selectively without altering unrelated traffic.[8] This interception occurs at the browser level, typically during URL resolution or request initiation, allowing real-time transformation before the request reaches the network.[13] Rulesets are structured as XML documents, with each file dedicated to one or more related hosts, stored in the extension's repository under directories likesrc/chrome/content/rules.[13] A typical ruleset begins with a <ruleset name="domain.example"> element, followed by <target host="*.domain.example"/> to specify applicable domains using wildcards.[13] Rewrite rules within the set use <rule from="^http://(www\.)?domain\.example\.org/" to="https://$1domain.example.org/"/> syntax, where the from attribute employs Perl-compatible regular expressions to match insecure URLs, and the to attribute captures and reconstructs the secure version, preserving path and query parameters.[13] Exclusions, defined via <exclusion pattern="..."/>, prevent rewriting for paths known to lack HTTPS support, mitigating potential breakage.[13]
Upon detecting a matching HTTP URL, the extension evaluates rulesets in sequence—often compiled into efficient data structures for performance—replacing the protocol and potentially the host to direct the request over TLS.[13] As of 2016, the database comprised approximately 22,000 rulesets covering 113,000 domain wildcards and 32,000 rewrite rules, with an automated validation checker ensuring rewritten URLs resolve successfully over HTTPS before deployment.[13] This mechanism supports dynamic updates, introduced in April 2018, allowing ruleset refreshes without full extension upgrades to maintain coverage for evolving site configurations.[11]