Large

"HTTPS, please!"

By Sebastian Lang Last update Nov 1, 2010 — Installed 5,043 times.

Script Summary: Switch transfer protocol automatically to HTTPS on (nearly) every! host who provides these type of encrypted connection.



Version: 0.1.3

Copyright: Creative Commons Attribution-ShareAlike 3.0 Unported (CC-BY-SA 3.0)

License: http://creativecommons.org/licenses/by-sa/3.0/

Thumb Thumb

Attention, please!

There are some small bugs in the current version 0.1.3 which (hopefully) will be fixed in the next version.

But the development of "HTTPS, please!" is currently freezed!

Why?
It´s more secure (and more effective) to change the transfer protocol with an Add-On and not with a Userscript !!!
There are several well developed Add-Ons which do this task pretty good ( I´ve tested it with "NoScript" but  "HTTPS  Everywhere" should be fine too).

With an Add.On it`s not only possible to change the transfer protocol of all elements from a given webpage - no matter if visible or hidden (e.g. scripts and stylesheets). "NoScript" for example is also able to try to convert unsecure cookies into secure cookies to prevent session hijacking (see also Firesheep).

I strongly encourage you to use a Add-On for all links which you`ve included into your personal filterlists (or which are included in the first predefined whitelist of "HTTPS, please!").


"So, for what can I use "HTTPS, please!" in future?"
You`ll be able to use "HTTPS, please!" in the same way like now but in future the main task of "HTTPS, please" will be the detection of sites which support the https protocol.

The personal filterlists will remain in "HTTPS, please!" and the source code will be worked-over therewith Regular Expressions (RegExp) can be used.

And at least there will be several small new features.


Thanks for notice and your patience!


with best regards,
Sebastian Lang


How "HTTPS, please!" works

"HTTPS, please!" operates in 3 steps:

 

1  Personal Blacklist and Personal Whitelist


"HTTPS, please!" works with four filterlists. The personal filterlists are the first two of them.
They contain no predefined entries but you can add or remove user-defined hosts via the Greasemonkey menu. Your personal filterlists are stored in your browser (about:config -> "Greasemonkey") and won`t be erased/overwritten by closing the browser or during an update! (Note: The personal blacklist is not fully implemented into the script at the moment).
When loading a website "HTTPS, please!" checks these two lists first .

If the host is booked in the blacklist "HTTPS, please!" does not change the transfer protocol to https even if the host is booked in one of the other filterlists.

If the host is booked in the whitelist "HTTPS, please!" redirects automatically to the http secure (https) protocol.

If the host can not  be found in the personal filterlists "HTTPS, please!" goes on to check the predefined filterlists.
 
 

2  Predefined Filterlists


If the host was not found in of the personal filterlists "HTTPS, please!" checks two predefined filterlists. The predefined filterlists contain various known hosts who support https connections.

Sites included:
 

amazon.co.uk

google.com

facebook.com

mozilla.org

twitter.com

wikipedia.org

wordpress.com

virustotal.com

youtube.com

 
and more than 300 others ...
 
 
The predefined filterlists can be edited with a texteditor. BUT changes will be overwritten during an update! If you have found a bug please post it under " //  Bug Report  // " or send me a message. If you know a site which supports https and you think it should be added to a predefined filterlist post it under "//  Submit new link  // " or send me a message. Thank you!
 
If the currently visited host is booked in one of the two predefined filterlists "HTTPS, please!" redirects to the https protocol.

If the host of a link on the website is booked in a predefined filterlist "HTTPS, please!" overwrites the protocol of the link from http to https.
 
  

3  Request for HTTPS connection


 
If the host is not booked in one of the four filterlists "HTTPS, please!" can automatically send a request over the https protocol to the host. If the status code of the answer is 200 (which means "ok" or "successfull request") "HTTPS, please!" redirects to the https protocol. You can enable/disable this feature via the Greasemonkey menu.

Note: This feature is disabled by default !
 
 
  
 
   
 
Additional information can be found on Wikipedia:    HTTP     List of HTTP status codes     HTTP Secure 
 
     

Important Notes!

  

Be careful using  "HTTPS, please!" with tools like TOR


"HTTPS, please!" could send a request over the https protocol to every host which is not in one of the filterlists. This happens when the option "Check unknown hosts" in the Greasemonkey menu is active and the host was not found in one of the filterlists. This is a uncommon behaviour and could decrease your level of anonymity. Select "DO NOT check unknown hosts" in the Greasemonkey menu to disable this feature. 
 
 
 

"HTTPS, please!" stores the last visited host as "encrypted" string


"HTTPS, please!" stores the last visited host in a variable as "encrypted" string (about:config -> "oldHost") to detect redirects from https to http (see Known Issues below). The applied "encryption" is just a simple algorithm:
var CurrentHost = window.location.host;

CurrentHostCryp = CurrentHost.charCodeAt(0)+CurrentHost.charCodeAt(1)*2
+CurrentHost.charCodeAt(4)*2+CurrentHost.charCodeAt(CurrentHost.lenght-5)*2;

GM_setValue("oldHost",CurrentHostCryp);
The variable CurrentHostCryp is a number which will be saved in "oldHost". This number is not unique. Different hosts can amount to the same number which is good for privacy reasons. The algorithm is convenient to hind anybody from getting your last visited host by just typing "about:config" in the adress bar. The variable "oldHost" will not be erased/overwritten by just closing your browser. If needed you can overwrite it by visiting a non private host of your choice.
 
 

    Known Issues

    Login window appears (access authentication)
    The access to the directory is restricted and a valid username and password is required.
       
    Continous redirects from HTTPS to HTTP and back
    This happens when https is activated at the host and there is a redirect established (from https  to the http version). The http status code is still 200 and through this "HTTPS, please!" redirects again and again.

    Workaround in version 0.1.1 reduces the number of reloads to one. 

     
    Various error messages -  like:
    sec_error_ca_cert_invalid
    This error is given from the browser when the certificate is not valid. See links below for more information.
    ssl_error_rx_record_too_long
    This error can appear when the apache server is incorrect or incomplete configurated. Several reasons are possible. Use a Search Engine for more information, please.
     
     

    These issues are not caused by "HTTPS, please!" itself. They would also appear when visiting the host with "HTTPS, please!" disabled. But for all that I´m hoping to find a smart solution. More information about errors when loading secure sites can be found in the SSL Reference on mozilla.org or in the mozillaZine
    "HTTPS, please!" is curently in version 0.1.2. So please be patient and submit feedback or suggestions! Thank you!
     

    Changelog

        0.1.3                       -     Links on a page will be overwritten to https if their host was found in a predefined Filterlist
        2010-11-01           -     Improvements on the Greasemonkey Menu:
                                              -     options to remove hosts from Personal Black- and Whitelist,
                                              -     more user-friendly
                                        -     The variable "oldHost" will now be "encrypted" to protect privacy.
                                        -     Several new hosts added to the predefined filterlists
                                        -     Small improvements on the integrated monitoring/bugtracking system

        0.1.2                       -     Personal Filterlists added (white- and blacklist)   
        2010-10-17           -     Several new hosts added to the predefined filterlists
                                        -     Variables which are no longer required will be overwritten at the end of the script

        0.1.1                       -     Additional Filterlist (#1) added
        2010-10-15           -     Option to disable/enable "check unknown sites" via Greasemonkey menu added
                                        -     Workaround for issue of continous reload on redirects added

        0.1.0                       -     Initial release
        2010-10-11
      

                       / / /         Keep your money - Feedback is desired !          / / /

    created with: Firefox  Notepad++  KompoZer  FastStone Capture and Gimp

    with help from: 

     

    back to top