Deepening: Using HTTPS Everywhere

Credits DJ Last Updated 2016-06

In this exercise, participants are introduced to the HTTPS Everywhere plug-in for Chrome and Firefox browsers. HTTPS Everywhere forces HTTPS for websites that offer such connections but do not automatically route users via HTTPS by default; likewise, if a site does not offer any kind of HTTPS connection, the plug-in alerts users to this fact.

ADIDS Element

Deepening

Parent Topic(s)

Identity Protection and Privacy; HTTPS and SSL

Duration

30-45 minutes

Materials to Prepare

  • PC with Firefox or Chrome browser installed
  • LCD projector for demonstration
  • Create a bookmark for the official developer’s page for HTTPS Everywhere, if connectivity is available; if not, download the extension prior to the session.
Trainer’s Note

If downloading the plug-in file to distribute offline to participants, we recommend burning the file to a CD or placing it in a shared, read-only folder accessible to participants over a local network. Rather than placing it on a USB flash drive, we suggest these mehtods to avoid unintentionally spreading computer viruses.

Deepening

The purpose of this exercise is to illustrate how the HTTPS Everywhere plug-in can help protect user network connections. This tool directs a browser to use SSL connections over HTTPS, either when an SSL version of a website is available or when the website has been included in the pre-populated list that HTTPS Everywhere’s developers update regularly.

Step 1: HTTPS by Default

Explain that some websites always provide a protected SSL (HTTPS) connection; for instance, all Google services offer session-wide, or from log-in to log-out, secure HTTPS connections. Twitter also now has this protection by default, as does Facebook.

Sometimes, though, a website will have a SSL connection available, but it won’t force users to connect via HTTPS - it’s also not always obvious that a website offers HTTPS in the first place if it isn’t forced.

To demonstrate, visit a website that provides both HTTP and HTTPS connections, but does not force that HTTPS protected connection - an illustrative and relatively well-known example is the Microsoft website:

  • Visit the HTTP version of the site.
  • In the URL bar, add “s” to “http://” to create an HTTPS connection; then, reload the page.
  • Highlight the relevant icon - usually a small, locked padlock icon - that signals HTTPS is active.
  • Remind participants that HTTPS connections are available on some websites, but not always automatically.

Mention immediately afterwards, if it has not yet been highlighted, that a browser add-on called HTTPS Everywhere can be useful in some of those cases!

Step 2: Installing HTTPS Everywhere

Go to Electronic Frontier Foundation’s, the developer of HTTPS Everywhere, official website in order to then demonstrate to participants how to install the plug-in. Note that, in the case of using Chrome browser, users will be redirected to use the Chrome Web Store.

  • After installing HTTPS Everywhere, return to Microsoft.com to continue the demonstration for users.
  • Point out that the browser automatically visits the HTTPS version; if desired, also visit the site in another browser that does not have HTTPS installed to emphasize that only the browser with the extension has the added protection.

Then, ask participants to replicate these steps, downloading and installing HTTPS Everywhere on their browsers. Encourage them to test HTTPS with one or two of their favorite websites or news sources. Make a brief pass around the training area, confirming that participants have the add-on correctly installed.

Step 3: Additional Talking Points

As participants experiment with using HTTPS Everywhere themselves, take the opportunity to remind participants once more of the following key points:

  • This tool directs a browser to use SSL connections over HTTPS, either when an SSL version of a website is available or when the website has been included in the pre-populated list that HTTPS Everywhere’s developers update regularly.
  • The SSL encryption protocol used by HTTPS, while quite strong and reliable in many cases, only encrypts the channel through which data is travelling and not the data itself.
  • A helpful comparison to make is to that of a drinking straw - if a straw is clear, an observer can see what kind of liquid is passing through it; if it is opaque, the liquid cannot be seen.