Is "HTTPS Everywhere" still relevant?
HTTPS Everywhere is a browser extension, a collaboration between The Tor Project and the Electronic Frontier Foundation, that automates rewriting requests for HTTP URLs to the secure HTTPS alternative if available. It's apparently been around for roughly a decade but was never on my radar until someone recently asked about it. Trying to research it has produced a mixed bag of information.
Regardless of need, it isn't clear how useful it is "out-of-the-box". Various articles refer to the need to supplement defaults with whitelists and rules to get the full benefits. So implementing it appears to not be a trivial task.
-
At least at one time, a substantial portion of web sites were HTTP-only, so using such software could provide only limited benefit. It appears that sites dealing with sensitive personal data have pretty much moved to HTTPS-only. Google implemented various measures to incentivize web sites to convert to HTTPS. It isn't clear how big of a problem HTTP still is (or if it still is, whether the problem is quickly disappearing).
It also isn't clear whether sites converting to HTTPS are retaining the HTTP links just for legacy visitors, and automatically redirecting to their HTTPS site.
The major browsers appear to all have either incorporated logic to prefer HTTPS sites when available, or are well into the process of implementing it. At least Google (haven't seen anything about other search engines), has a program by the same name (not clear if it is actually the same product), to automatically attempt an HTTPS connection on searches.
Three years ago or so, there were articles about "why you need to install HTTPS Everywhere". A number of more recent articles have suggested that people should stop suggesting that people install this software. The gist seems to relate to browsers already duplicating the functionality.
So it isn't clear whether HTTP is still a substantive problem needing a solution, and if so, whether software that tries HTTPS links first can solve what's left of it. Has this whole issue been overtaken by events?
I'm looking for context rather than opinion (i.e., the facts describing the current situation rather than opinion about how good or bad it is, or whether I need the software). For example, do the major browsers now provide the remedy that HTTPS Everywhere was developed for? Is HTTP now virtually limited to sites where there's no personal data? Is there government or industry regulation that is intended to render this a non-issue? In other words, the kinds of objective information that will allow me (and others) to understand the current state of affairs in order to form my own opinion and determine relevance for myself.
HTTPS Everywhere certainly used to be more necessary during the days of mixed content and half-hearted website configurations. The web is certainly more mature nowadays, with technologies like HSTS which can be used by any site, and public key pinning for the bigger players (now deprecated in favor of Certificate Transparency - thanks to Justin for informing me).
So, whether the extension is useful depends heavily on your individual use case. Making custom rules for websites that serve both HTTP and HTTPS is something the extension excels at, and I'm not aware of any others that do a similar job. Even in situations where a website doesn't support HTTPS, the extension will ensure that any references to third-party domains such as CDNs will be upgraded to HTTPS, even if the original reference was protocol-neutral.
Speaking as a previous ruleset contributor to HTTPS Everywhere, I have the following to offer.
The HTTPS Everywhere project periodically tests all of their rewriting rules and disables those which fail for any reason. This ensures a relatively quick response to changing website configurations, but can lead to a significant portion of the rulesets being disabled unless significant maintenance effort is expended. Suggestions that the central rulesets should be supplemented mainly arise from ignorance that these central rulesets can and should be corrected. It's a matter of volunteer availability.
Significant progress has been made in moving the web to HTTPS-only, but many sites are still misconfigured and many more have not implemented the crucial HSTS preload protection needed to prevent first-connection attacks. Sites which implement this protection are shortly thereafter removed from HTTPS Everywhere's rulesets.
Web browser technology is very useful, but anything they do beyond the HSTS preload list is only nice to have. HTTPS Everywhere provides a stopgap for sites which have not enabled HSTS through the browser and essentially need a custom community-maintained HSTS configuration.
In summary, it doesn't harm to keep it installed. Bear with it for a few more years and hopefully all this will become redundant.