The Digital Frontier Basis will discontinue the HTTPS All over the place plug-in
Enlarge / Before 2016, we even struggled to find HTTPS stats – but even in 2016, fewer than one in four websites served HTTPS.
Last week, the Electronic Frontier Foundation announced that it would be retiring its browser plug-in HTTPS Everywhere in 2022. Technical director Alexis Hancock summed it up in the announcement’s own title: “HTTPS is actually everywhere.”
The EFF originally introduced HTTPS Everywhere – a plug-in that automatically updates HTTP connections to HTTPS – in 2010 as a stopgap solution for a world that is still used to the idea of encrypting all web browser traffic.
When the plugin was new, most of the Internet was served in clear text – vulnerable to both snooping and tampering by any entity that could place itself between a user browsing the web and the web servers they were communicating with. Even banking websites often offered unencrypted connections! Fortunately, the landscape of web encryption has changed dramatically in the eleven years since then.
We can get an idea of how far the log has come by looking at the status of the web report of the HTTP archive. In 2016 – six years after HTTPS Everywhere first launched – the HTTP archive recorded encrypted connections for less than one in four sites crawled. In the five years since then, that number has skyrocketed – as of July, the archive is crawling nine out of ten websites over HTTPS. (Google’s transparency report shows a similar history using data submitted by Chrome users.)
While the increasing organic adoption of HTTPS influenced the EFF’s decision to discontinue the plugin, it is not the only reason. More importantly, the automated upgrade from HTTP to HTTPS is now natively available in all four major consumer browsers – Microsoft Edge, Apple Safari, Google Chrome, and Mozilla Firefox.
Unfortunately, Safari is still the only mainstream browser that enforces HTTPS traffic by default – which likely influenced the EFF’s decision to end HTTPS Everywhere by next year. Firefox and Chrome offer a native “HTTPS Only” mode that must be activated by the user, and Edge offers an experimental “Automatic HTTPS” from Edge 92 onwards.
If you only want to natively enable HTTPS / automatic HTTPS in your browser of choice today, we recommend checking out the EFF’s own announcement, which includes both step-by-step instructions and animated screenshots for each browser. After enabling your browser’s native HTTPS upgrade feature, you can safely disable the soon-to-be-out-of-date HTTPS Everywhere plug-in.
Collection image from Rock1997 / Wikipedia