Tech Weekend – HTTPS Everywhere

To improve privacy and security HTTPS should be used everywhere. It SHOULD be the default option. Unfortunately this isn’t always the case. Even worse, you have no idea what the browser is doing behind your back. For instance – this site you’re reading now is going off and contacting Google Analytics and downloading images from other locations. If you trust me (the author) you can assume I’ve typed in those URLs as HTTPS instead of HTTP, but why trust me when you don’t have to?

DISCLAIMER: I know my site cert is self-signed. I’ll get to a CA signed cert eventually. Deal with it ;) (edit 2013-12-ish: I took care of this with a cert from StartCom.)

HTTPS Everywhere is a browser plugin that can be used to solve this exact problem. Load the plugin into Firefox or Chrome and off you go. The most common sites are automatically converted from http:// in your address bar to https://.

But WAIT – it’s of course not that simple. Let’s take Google as an example. Here is the default Google search URL

http://google.com

So what is the secure Google search URL?

https://encrypted.google.com/

Thank you security for ALWAYS making my life more complex than it needs to be. So if we want a plugin that can convert the most popular sites from http to https we need a long list of rules that are site specific. The plugin comes with these by default.

Now let’s say I’m a WordPress Admin and I want to make sure I ALWAYS log into the following instead of the http site.

https://bbbburns.com/blog/wp-admin/

This is where I type my password in to the cloud based server so it had better be over a secure connection. Unfortunately the EFF / plugin does not know who I am so there is no bundled rule for my site. I have to write my own.

Now we get to the whole point of this post. All of the instructions for writing your own custom HTTPS Everywhere rules are for Firefox. No rules exist for Chrome.. UNTIL NOW. Also – the rules are extremely technically detailed on the syntax, but leave me wanting more when they describe which files to change and where.

Writing HTTPS Everywhere Rules for Google Chrome Browser

Take THAT search engine. No .. really.. take it.. I hope someone finds this useful. The EFF instructions are missing the following pieces.

Search for your rules

Search on your computer for the default.rulesets file. This will get you in the right directory. I found mine here: (I converted all backslashes to forward slashes because of a funky problem I was having with the post)

C:/Users/user/AppData/Local/GoogleChrome/User Data/Default/Extensions/<random string>/2013.10.16_0/rules/default.rulesets

This file was pretty long and I didn’t want to edit the thing directly. I wanted to just take my OWN custom rulesets file and load that. Luckily it looks like the following file can do exactly that. I’ve added the second entry and created a new file with that name custom.rulesets.

C:/Users/user/AppData/Local/GoogleChrome/User Data/Default/Extensions/<random string>/2013.10.16_0/rule_list.js

var rule_list = [
"rules/default.rulesets",
"rules/custom.rulesets",
];

That allows us to have our rules for converting http://bbbburns.com to https://bbbburns.com. Here’s what I entered into the custom.rulesets file.

 C:UsersuserAppDataLocalGoogleChromeUser DataDefaultExtensions<random string>2013.10.16_0rulescustom.rulesets

<ruleset name="BBBBBurns">
  <target host="www.bbbburns.com" />
  <target host="bbbburns.com" />

  <rule from="^http://(www.)?bbbburns.com/" to="https://bbbburns.com/"/>
</ruleset>

Save those files and restart Chrome and you’re on your way to a more secure browsing experience. If there are sites you visit that HTTPS Everywhere doesn’t encrypt by default you can add these rules.

I recommend saving your custom file and the rule list in your “Development” directory or “scripts” or “hacks” or whatever you call it because surely this is all going to be blown away when Chrome auto updates. That’s just my assumption looking at the folder names above which seem version specific.

I think this concludes the Tech Weekend for me this weekend. Stay tuned for posts about password managers, two factor authentication, and PGP encryption and signing for email and other things.


Posted

in

by

Tags:

Comments

2 responses to “Tech Weekend – HTTPS Everywhere”

  1. Brendan Avatar
    Brendan

    There are a few free SSL CAs. I think this is probably one of the oldest: http://cert.startcom.org/

    1. Burns Avatar

      DONE! I had used them in the past but I do a really poor job keeping up with the yearly expiration. Now I’m using them again.