The latest development in the HTTPS deployment success story has seen the Electronic Frontier Foundation (EFF) declare “Victory!” and move on.
EFF have announced that because HTTPS is actually everywhere, the HTTPS Everywhere browser plug-in is no longer needed and they are preparing for its deprecation. After the end of this year, the browser extension will be in ‘maintenance mode’ for 2022. EFF highlight the widespread availability of native HTTPS-only modes in mainstream modern browsers.
HTTPS Everywhere was a security plug-in for browsers that ensured redirection of user requests to the HTTPS version of websites if one was available. The browser extension had its limitations though and more recently, mainstream browser vendors have implemented HTTPS-only modes. These native modes are an improvement over the EFF extension as they don’t allow connections to hosts that only offer insecure options.
By default, browsers with these modes enabled will only connect via insecure HTTP after manual confirmation from the user. Taking this ‘block insecure connections’ by default approach is only now possible because so much of the web, especially popular web services, is now encrypted by default.
In a classic example of becoming a victim of your own success, the retirement of HTTPS Everywhere illustrates how pervasive HTTPS has become. HTTPS is (almost) everywhere so goodbye HTTPS Everywhere!