Is "HTTPS Everywhere" still relevant?

HTTPS Everywhere certainly used to be more necessary during the days of mixed content and half-hearted website configurations. The web is certainly more mature nowadays, with technologies like HSTS which can be used by any site, and public key pinning for the bigger players (now deprecated in favor of Certificate Transparency - thanks to Justin for informing me).

So, whether the extension is useful depends heavily on your individual use case. Making custom rules for websites that serve both HTTP and HTTPS is something the extension excels at, and I'm not aware of any others that do a similar job. Even in situations where a website doesn't support HTTPS, the extension will ensure that any references to third-party domains such as CDNs will be upgraded to HTTPS, even if the original reference was protocol-neutral.


Speaking as a previous ruleset contributor to HTTPS Everywhere, I have the following to offer.

  • The HTTPS Everywhere project periodically tests all of their rewriting rules and disables those which fail for any reason. This ensures a relatively quick response to changing website configurations, but can lead to a significant portion of the rulesets being disabled unless significant maintenance effort is expended. Suggestions that the central rulesets should be supplemented mainly arise from ignorance that these central rulesets can and should be corrected. It's a matter of volunteer availability.

  • Significant progress has been made in moving the web to HTTPS-only, but many sites are still misconfigured and many more have not implemented the crucial HSTS preload protection needed to prevent first-connection attacks. Sites which implement this protection are shortly thereafter removed from HTTPS Everywhere's rulesets.

  • Web browser technology is very useful, but anything they do beyond the HSTS preload list is only nice to have. HTTPS Everywhere provides a stopgap for sites which have not enabled HSTS through the browser and essentially need a custom community-maintained HSTS configuration.

In summary, it doesn't harm to keep it installed. Bear with it for a few more years and hopefully all this will become redundant.


While improved awareness of HTTPS and HSTS have certainly brought security standards forward, there is still use for the HTTPS Everywhere extension:

HSTS is great at protecting against HTTP downgrade attacks but one thing to notice is that it is based on a trust on first use model. This means your first connection to the site must be through HTTPS or else the HSTS protection can be compromised (for example a HTTP to HTTPS 301 redirect is a window of opportunity for an attack).

HSTS normally protects against this with the HTST preload list, a list of domains built into the browser which forces the first connection to use only HTTPS for those sites. However getting onto the list (and waiting for the change to be applied in browsers) takes some time and not every site bothers to register itself. This is where the browser extension helps out by ensuring all first connections are through HTTPS only.

Another smaller case is when the website's HTTPS is located on a different path from the usual. For example a website might have http://www.example while having their secure site on https://secure.example. HTTPS Everywhere keeps a database of domains to ensure you are going to the correct URL for HTTPS.

Footnote: public key pinning also helps, but even Chrome decided to remove it for low adoption rates and the potential for being a foot-gun.