Enforce Encryption

Install page

Enforce Encryption screenshot

How to use Enforce Encryption

  • Go to the encrypted (HTTPS) version of the webpage.
  • Right-click somewhere on the page and choose “Page Info” from the menu.
  • Switch to the “Security” tab.
  • If it says “No” next to “Enforce encrypted connection?” click “Start enforcing”.

The setting applies to all pages of a site, the browser will always send you to the encrypted version automatically. You can also click “Stop enforcing” to allow unencrypted connections for this site again.

Why you should care about encrypting connections

If you use an unencrypted connection then everybody can listen in and see or manipulate all data that is being transmitted. They can learn what you like reading, they can impersonate you on the services you are using and they can inject their content into the webpages you are viewing. That content might be a fake news article, advertising or even malicious code intended to infect your computer.

How do people listen in? They can do this for example by being in the same public wireless hotspot as you, or by being an employee of your Internet provider, or by working for a government agency like the NSA. If you use encrypted connections then you make spying on you or messing with you a lot harder.

How Enforce Encryption helps

Many websites support both encrypted and unencrypted connections. If you are lucky, your password will be sent over an encrypted connection but other than that you have to switch to HTTPS manually. However, remembering this is very tedious, e.g. when you get to the website via a search engine or an old history entry.

There are other websites that will always redirect you to an encrypted version of their website. However, before they can redirect you your browser will contact the website over an unencrypted connection – and that’s a chance for an attacker to manipulate the request and to keep you on an unencrypted connection (SSL Stripping). And if you don’t pay attention you’ve lost.

Firefox has a built-in mechanism that can solve both issues by making sure that you always visit a website over an encrypted connection. However, this mechanism requires the website to opt in via the Strict Transport Security header – and so far many websites still don’t do it. The Enforce Encryption extension makes this setting accessible via the Page Info dialog, this way you can enforce encrypted connections even for websites that didn’t opt in.

Known limitations

  • Clicking “Stop enforcing” won’t produce the expected results for websites that opt into Strict Transport Security – the enforcement will be active again after you reload the page. These websites can also make Strict Transport Security expire after an arbitrary time (can be as short as 1 second), regardless of what you do with this extension.
  • A website can determine that all of its subdomains should be opted into Strict Transport Security. Clicking “Stop enforcing” on a subdomain won’t do anything.

Source code / Contributing

The extension source code is available under https://github.com/palant/enforceencryption.