Monday, November 26, 2012

Why I installed "HTTPS Everywhere"

I was taking a look at how cookies are handled between Youtube and, since it uses I then setup a proxy in Google Chrome in order to have a quick look and maybe replay the request. I went to Youtube (that is in plain HTTP by the way) and then I typed "". I saw cookies from Youtube and a warning from Google that the certificate wasn't right, but I also saw this for :

That's the same cookie names as the HTTPS version.

Fortunately Google does it right and when I tried to steal my own session by using these in HTTPS it failed with a redirection to for the login mechanism. I did not try anything more.

I'm pretty sure many sites aren't that careful so I installed HTTPS Everywhere. With the plugin installed, the request to the HTTP version is not sent when I type "" in my url bar.

By the way, it is made by the EFF and the Tor Project. It's available for Firefox and Chrome :

No comments:

Post a Comment