Last week, the Electronic Frontier Foundation announced that it will end its HTTPS Everywhere browser plugin in 2022. Engineering director Alexis Hancock summed it up in the announcement’s own title: “HTTPS is basically everywhere.”
The EFF originally launched HTTPS Everywhere – a plug-in that automatically upgrades HTTP connections to HTTPS – in 2010 as a stopgap measure for a world that had yet to get used to the idea of encrypting all web browser traffic.
When the plugin was new, most of the internet was presented in plain text – vulnerable to both snooping and manipulation by any entity that could place itself between a user of the web and the web servers they communicated with. Even banking websites often offered unencrypted connections! Fortunately, the web coding landscape has changed dramatically in the 11 years since.
We can get an idea of how far the protocol has come by looking at HTTP Archive’s State of the Web report. In 2016, six years after HTTPS Everywhere was first launched, the HTTP archive recorded encrypted connections for less than one in four sites crawled. In the five years since, that number has skyrocketed — as of July, the archive is crawling nine out of every ten sites over HTTPS. (Google’s transparency report shows a similar development, using data submitted by Chrome users.)
While increased organic HTTPS adoption influenced the EFF’s decision to deprecate the plugin, it’s not the only reason. More importantly, automated upgrade from HTTP to HTTPS is now available by default in all four major consumer browsers: Microsoft Edge, Apple Safari, Google Chrome, and Mozilla Firefox.
Unfortunately, Safari is still the only mainstream browser that enforces HTTPS traffic by default, which likely signaled the EFF’s decision to end HTTPS Everywhere until The next year. Firefox and Chrome offer a native “HTTPS Only” mode that must be enabled by the user, and Edge offers an experimental “Automatic HTTPS” as of Edge 92.
Today, if you just want to enable HTTPS/Automatic HTTPS natively in your browser of choice, we recommend visiting the EFF’s own announcement, which includes both step-by-step instructions and animated screenshots for each browser. After enabling your browser’s built-in HTTPS upgrade functionality, you can safely disable the soon-to-be-discontinued HTTPS Everywhere plugin.
List image by Rock1997/Wikipedia