EFF to deprecate HTTPS Everywhere extension as HTTPS is becoming ubiquitous
Image: EFF, The Record
Catalin Cimpanu September 25, 2021

EFF to deprecate HTTPS Everywhere extension as HTTPS is becoming ubiquitous

EFF to deprecate HTTPS Everywhere extension as HTTPS is becoming ubiquitous

The Electronic Frontier Foundation said it is preparing to retire the famous HTTPS Everywhere browser extension after HTTPS adoption has picked up and after several web browsers have introduced HTTPS-only modes.

“After the end of this year, the extension will be in ‘maintenance mode’ for 2022,” said Alexis Hancock, Director of Engineering at the EFF.

Maintenance mode means the extension will receive minor bug fixes next year but no new features or further development.

No official end-of-life date has been decided, a date after which no updates will be provided for the extension whatsoever.

Launched in June 2010, the HTTPS Everywhere browser extension is one of the most successful browser extensions ever released. The extension worked by automatically switching web connections from HTTP to HTTPS if websites had an HTTPS option available. At the time it was released, it helped upgrade site connections to HTTPS when users clicked on HTTP links or typed domains in their browser without specifying the “https://” prefix.

The extension reached cult status among privacy advocates and was integrated into the Tor Browser and, after that, in many other privacy-conscious browsers.

Progress in HTTPS adoption

But since 2010, HTTPS is not a fringe technology anymore. Currently, around 86.6% of all internet sites support HTTPS connections.

Browser makers such as Chrome and Mozilla previously reported that HTTPS traffic usually accounts for 90% to 95% of their daily connections.

But efforts to improve HTTPS adoption have not taken place at the website level. Since 2020, several major browser makers have launched HTTPS-only modes, where the browser will try to upgrade the connection from HTTP to HTTPS on its own or show an error message to users if an HTTPS connection is not found — doing natively what HTTPS Everywhere has been doing for more than a decade.

HTTPS-only modes are now available in Mozilla FirefoxGoogle ChromeMicrosoft Edge, and Apple Safari. Instructions on how to enable each of these modes are available below:

Firefox:

Preferences > Privacy & Security > (Scroll to Bottom) Enable HTTPS-Only Mode

Chrome:

Settings > Privacy and security > Security > Scroll to bottom > Toggle “Always use secure connections”

Edge:

  1. Visit edge://flags/#edge-automatic-https and enable Automatic HTTPS
  2. Hit the “Restart” button that appears to restart Microsoft Edge.

Safari:

No action is required. Safari will attempt to auto-upgrade all HTTP connections to HTTPS by default. Behavior added in Safari 15, released in September 2021.


In a report published in March 2021 analyzing the rollout of its HTTP-Only Mode, Mozilla said that Firefox upgraded HTTP to HTTPS traffic only for 3.5% of the web pages that its users tried to access.

The browser maker said that 92.8% of web pages were already loading via HTTPS connections, a sign that HTTPS was now ubiquitous and a reason why the EFF is now preparing to sunset one of its most successful open source projects.

Mozilla-study
Image: Mozilla

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.