TL;DR: I created a new extension called Enforce Encryption. See extension description for a simple explanation of how it works and why using encrypted connections is important.
I realized that Stack Overflow is one of the few websites that I use with authentication and yet over plain unencrypted HTTP connections. So, what if I just change
https:// in the address bar? Surprisingly, this worked, even though Stack Overflow doesn’t support HTTPS officially (way too many links lead back to HTTP).
So, if I want to use Stack Overflow over HTTPS now, how do I do it? All my history items lead to unencrypted pages. But even if I clean out my history, I regularly get to Stack Overflow pages via search or links. Switching to HTTPS manually every time is just unrealistic. That’s something where HTTP Strict Transport Security could help, if it were active for that site all links and history entries would be changed into HTTPS automatically.
Now Strict Transport Security is something that the website itself needs to enable. I briefly considered manipulating a response from Stack Overflow to include the necessary header. However, a search on MXR revealed that
Only problem now: that approach doesn’t scale. There are other websites that should be using Strict Transport Security, e.g. google.com. If you simply type it into your address bar then the first request will go over plain HTTP and redirect to HTTPS then — this initial unencrypted request enables attacks like SSL stripping. A simpler way to check whether Strict Transport Security is enabled and enabling it if necessary would be nice.
HTTPS Everywhere extension sounds like it would work by utilizing Strict Transport Security but apparently it doesn’t. There is another extension called Force-TLS which actually allows managing all aspects of Strict Transport Security but it does that via its own preferences dialog in the charming style of Mozilla Suite’s Cookie Manager from year 2004. Better UI concepts have been developed since then and this setting is something I would expect in the Page Info dialog.
So I simply wrote my own extension called Enforce Encryption (not reviewed by Mozilla yet, that should take a few weeks). It is very minimalistic, in the current version it is merely a hundred lines of code. All it does is adding a checkbox to the Security tab of the Page Info dialog to enable or disable Strict Transport Security. It isn’t quite as flexible as Force-TLS, yet it should cover most use cases and be much easier to use. Enjoy!
For reference, the source code is available on GitHub.