CreditsLast Updated 2016-06
In this exercise, participants are introduced to the HTTPS Everywhere plug-in for Chrome and Firefox browsers. HTTPS Everywhere forces HTTPS for websites that offer such connections but do not automatically route users via HTTPS by default; likewise, if a site does not offer any kind of HTTPS connection, the plug-in alerts users to this fact.
Leave a note anywhere on this page - look for the Hypothes.is toolbar in the upper right-hand corner.
If downloading the plug-in file to distribute offline to participants, we recommend burning the file to a CD or placing it in a shared, read-only folder accessible to participants over a local network. Rather than placing it on a USB flash drive, we suggest these mehtods to avoid unintentionally spreading computer viruses.
The purpose of this exercise is to illustrate how the HTTPS Everywhere plug-in can help protect user network connections. This tool directs a browser to use SSL connections over HTTPS, either when an SSL version of a website is available or when the website has been included in the pre-populated list that HTTPS Everywhere’s developers update regularly.
Explain that some websites always provide a protected SSL (HTTPS) connection; for instance, all Google services offer session-wide, or from log-in to log-out, secure HTTPS connections. Twitter also now has this protection by default, as does Facebook.
Sometimes, though, a website will have a SSL connection available, but it won’t force users to connect via HTTPS - it’s also not always obvious that a website offers HTTPS in the first place if it isn’t forced.
To demonstrate, visit a website that provides both HTTP and HTTPS connections, but does not force that HTTPS protected connection - an illustrative and relatively well-known example is the Microsoft website: - Visit the HTTP version of the site. - In the URL bar, add “s” to “http://” to create an HTTPS connection; then, reload the page. - Highlight the relevant icon - usually a small, locked padlock icon - that signals HTTPS is active. - Remind participants that HTTPS connections are available on some websites, but not always automatically.
Mention immediately afterwards, if it has not yet been highlighted, that a browser add-on called HTTPS Everywhere can be useful in some of those cases!
Go to Electronic Frontier Foundation’s, the developer of HTTPS Everywhere, official website in order to then demonstrate to participants how to install the plug-in. Note that, in the case of using Chrome browser, users will be redirected to use the Chrome Web Store.
Then, ask participants to replicate these steps, downloading and installing HTTPS Everywhere on their browsers. Encourage them to test HTTPS with one or two of their favorite websites or news sources. Make a brief pass around the training area, confirming that participants have the add-on correctly installed.
As participants experiment with using HTTPS Everywhere themselves, take the opportunity to remind participants once more of the following key points:
- This tool directs a browser to use SSL connections over HTTPS, either when an SSL version of a website is available or when the website has been included in the pre-populated list that HTTPS Everywhere’s developers update regularly.
- The SSL encryption protocol used by HTTPS, while quite strong and reliable in many cases, only encrypts the channel through which data is travelling and not the data itself.
- A helpful comparison to make is to that of a drinking straw - if a straw is clear, an observer can see what kind of liquid is passing through it; if it is opaque, the liquid cannot be seen.