The HTTPS Everywhere extension, which is used to automatically connect to websites in a secure manner, is bowed out. In 2022, it will be deactivated. It is no longer useful now that the web is globally encrypted.
HTTPS Everywhere is heading towards a well-deserved retirement. The web extension, which is available for the main web browsers, must indeed be withdrawn from active service from 2022. The reason? The web no longer really needs it to protect Internet users. Almost all browsers natively integrate an equivalent to HTTPS Everywhere.
The decision to set aside HTTPS Everywhere was announced on September 21 by the Electronic Frontier Foundation (EFF), a powerful American organization dedicated to the defense of digital freedoms, which we currently find in another major project: Let’s Encrypt . The latter consists in facilitating access to security certificates to as many people as possible, again to increase the security of the web.
HTTPS Everywhere, the module that wanted to encrypt the web
The HTTPS Everywhere extension is used to activate the HTTPS protocol when it is available, instead of using the HTTP version (hence the name HTTPS Everywhere: it is to have HTTPS everywhere). The project is very old, even older than the revelations made by Edward Snowden in 2013, which accelerated the trend towards all encryption. Indeed, the HTTPS Everywhere project emerged in 2010.
HTTPS is used to signal to the Internet user that the connection between his browser and the website is secure. This protection is symbolized by a closed padlock in the URL bar. HTTPS is based on an encryption protocol which is decisive for consulting online resources, including sensitive ones (bank, merchant site, email), because it prevents both interception, reading and alteration of exchanges.
Over time, HTTPS Everywhere (HTTPS is an acronym that stands for HyperText Transfer Protocol Secure) has been deployed on many web browsers: it is now found on Google Chrome, Firefox, Microsoft Edge, Opera, Brave (included natively) and Tor (ditto). On mobile, it is also available, but on a smaller scale. Firefox, Brave, Tor and Onion offer it, on Android or iOS.
By 2011, HTTPS Everywhere was proving to be relatively useful, as the HTTPS protocol could be enabled on more than a thousand sites, including a few of the very first ones. It just wasn’t offered by default. The extension therefore aimed to force this secure connection, while waiting for the day when this link would be active as a base, without the need for an additional module. And then Edward Snowden arrived.
His revelations about mass Internet surveillance programs set up by major intelligence agencies were a turning point in the rise of HTTPS. Paradoxically, this case was an unexpected opportunity for the EFF project to encrypt the entire web, while protecting the communications of Internet users.
” Since we started offering HTTPS Everywhere, the battle for web encryption has leaped forward: what was once a tough technical argument is now a common standard offered on most web pages. “, Welcomes the NGO, even if it took time to achieve this result. More than ten years separate this announcement from the launch of the module.
HTTP is on the way out
Today, all the signals are green for HTTPS, which has become a very large majority in the web landscape – Google has also had an influence, by making HTTPS also a criterion for good SEO. The dashboard offered by Google, which tracks the degree of use of encryption on the web, is unequivocal.
Thus, almost all of the top 100 websites were using HTTPS by default, as of January 1, 2019 (the figure has not been updated since, but it has only grown). And Google Chrome, which is an excellent watch on what is happening on the net because it is the most used browser in the world, notes that 90% of the time, browsing is done in HTTPS – 95% for the Internet. France.
We find equivalent statistics with the HTTP Archive monitoring site. HTTPS requests were barely around 20% in January 2016. In 2021, they are above 90%. Admittedly, all this progress is not only to the credit of the extension of the EFF: many other factors have played a role (Google, the Snowden revelations, the Let’s Encrypt initiative). However, the module has done its part.
And then there is also the action of browsers. As indicated, they all or almost natively integrate an equivalent to HTTPS Everywhere. This is the case with Google Chrome and Firefox for example – we talked about it at the time. But Microsoft Edge and Safari are also on this trajectory. These integrations certainly arrived quite late, but we had to be sure that HTTP was indeed on the way out.
EFF is aware that its module is still present in many browsers. It therefore does not intend to make a sudden transition: the extension will certainly be deprecated, but in 2022. It will then go into maintenance mode and will no longer be really updated. Then it will be deactivated. These few months allow people to leave a margin to make a rocking as smooth as possible.
” The goal of HTTPS Everywhere has always been to become redundant. This would mean that we would have achieved our primary goal: a world where HTTPS is so widely available and accessible that users no longer need an additional browser extension to get it. Now this world is closer than ever “Writes the EFF.