Resources for the global digital safety training community.
Credits
Last Updated 2016-06In this exercise, participants are introduced to the HTTPS Everywhere plug-in for Chrome and Firefox browsers. HTTPS Everywhere forces HTTPS for websites that offer such connections but do not automatically route users via HTTPS by default; likewise, if a site does not offer any kind of HTTPS connection, the plug-in alerts users to this fact.
If downloading the plug-in file to distribute offline to participants, we recommend burning the file to a CD or placing it in a shared, read-only folder accessible to participants over a local network. Rather than placing it on a USB flash drive, we suggest these mehtods to avoid unintentionally spreading computer viruses.
The purpose of this exercise is to illustrate how the HTTPS Everywhere plug-in can help protect user network connections. This tool directs a browser to use SSL connections over HTTPS, either when an SSL version of a website is available or when the website has been included in the pre-populated list that HTTPS Everywhere’s developers update regularly.
Explain that some websites always provide a protected SSL (HTTPS) connection; for instance, all Google services offer session-wide, or from log-in to log-out, secure HTTPS connections. Twitter also now has this protection by default, as does Facebook.
Sometimes, though, a website will have a SSL connection available, but it won’t force users to connect via HTTPS - it’s also not always obvious that a website offers HTTPS in the first place if it isn’t forced.
To demonstrate, visit a website that provides both HTTP and HTTPS connections, but does not force that HTTPS protected connection - an illustrative and relatively well-known example is the Microsoft website:
Mention immediately afterwards, if it has not yet been highlighted, that a browser add-on called HTTPS Everywhere can be useful in some of those cases!
Go to Electronic Frontier Foundation’s, the developer of HTTPS Everywhere, official website in order to then demonstrate to participants how to install the plug-in. Note that, in the case of using Chrome browser, users will be redirected to use the Chrome Web Store.
Then, ask participants to replicate these steps, downloading and installing HTTPS Everywhere on their browsers. Encourage them to test HTTPS with one or two of their favorite websites or news sources. Make a brief pass around the training area, confirming that participants have the add-on correctly installed.
As participants experiment with using HTTPS Everywhere themselves, take the opportunity to remind participants once more of the following key points: