Add-on that forces HTTPS for popular websites released for Internet Explorer

Zscaler releases Internet Explorer version of the Firefox and Chrome "HTTPS Everywhere" browser security extension

Cloud-based security services provider Zscaler has released an implementation for Internet Explorer of the HTTPS Everywhere browser security extension.

HTTPS Everywhere forces the browser to always connect over HTTPS (HTTP Secure) to popular websites that support the secure communication protocol but don't enable it by default. The extension also sets the "secure" flag for authentication cookies, preventing them from being transmitted over unencrypted connections.

Some HTTPS-enabled sites fail to set this flag for authentication cookies because they expect users to automatically be logged in even when they access the HTTP versions of the site. However, this allows attackers who compromised a network's gateway or who can sniff traffic on an unprotected wireless network, to steal the cookies from users and hijack their accounts.

HTTPS Everywhere was originally released as an extension for Mozilla Firefox in 2010 and is jointly developed by the Electronic Frontier Foundation (EFF), a digital rights watchdog organization, and the Tor Project, the creators of the Tor anonymity software. A version for Google Chrome has also been released since then.

Version of HTTPS Everywhere for Internet Explorer was released Monday and was developed independently of the EFF or the Tor Project by Zscaler senior security researcher Julien Sobrier.

The IE implementation replicates the core functionality of the official Firefox and Chrome HTTPS Everywhere extensions and includes their default rule sets for popular websites. However, some additional features like the ability to create custom rules or the support for the HTTP Strict Transport Security (HSTS) security policy are still missing.

"As the version number suggests, this is a very early release," Sobrier said Monday in a blog post. "I have been using the extension for several weeks without any problems, but it should be considered an alpha release."

The missing features will be added in future versions, the researcher said. For now, the primary goal is to share the source code for the IE version with the EFF and make it available through their website, he said.

In the meantime, people who want to use or try out HTTPS Everywhere for Internet Explorer can download it from a dedicated page on Zscaler's website.

However, this reporter had trouble accessing with the add-on enabled in the latest version of Internet Explorer 9 running on a 64-bit installation of Windows 7 Ultimate, so it seems that there are still some bugs to fix.

While this extension sounds like a good tool to have, it remains to be seen how many IE users will actually be interested in using it.

"IE users tend to be more passive and accepting of the default app, rather than adding DIY [do it yourself] extensions -- especially those with a security function," David Harley, a senior research fellow at antivirus vendor ESET, said Wednesday via email.

"I'm not convinced that it will be widely adopted unless Microsoft actually promotes it or, more likely, includes something similar in a future release," Harley said. "It might appeal to security hobbyists, but that's the group that's least likely to use IE."

Harley believes that adoption in corporate environments, where IE has a very strong user base, is also unlikely, at least with the extension's current limitations and at this early stage of development.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsonline safetysecuritybrowserszscalersoftwareencryptionesetprivacy

More about EFFElectronic Frontier FoundationGoogleMicrosoftMozillaWikipediazScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts