Zscaler adds IE version of HTTPS Everywhere security tool
Clud services provider releases Internet Explorer version of the Firefox and Chrome HTTPS Everywhere browser security extension
IDG News Service - Cloud-based security services provider Zscaler has released an implementation for Internet Explorer of the HTTPS Everywhere browser security extension.
HTTPS Everywhere forces the browser to always connect over HTTPS (HTTP Secure) to popular websites that support the secure communication protocol but don't enable it by default. The extension also sets the "secure" flag for authentication cookies, preventing them from being transmitted over unencrypted connections.
Some HTTPS-enabled sites fail to set this flag for authentication cookies because they expect users to automatically be logged in even when they access the HTTP versions of the site. However, this allows attackers who compromised a network's gateway or who can sniff traffic on an unprotected wireless network, to steal the cookies from users and hijack their accounts.
HTTPS Everywhere was originally released as an extension for Mozilla Firefox in 2010 and is jointly developed by the Electronic Frontier Foundation (EFF), a digital rights watchdog organization, and the Tor Project, the creators of the Tor anonymity software. A version for Google Chrome has also been released since then.
Version 0.0.0.1 of HTTPS Everywhere for Internet Explorer was released Monday and was developed independently of the EFF or the Tor Project by Zscaler senior security researcher Julien Sobrier.
The IE implementation replicates the core functionality of the official Firefox and Chrome HTTPS Everywhere extensions and includes their default rule sets for popular websites. However, some additional features like the ability to create custom rules or the support for the HTTP Strict Transport Security (HSTS) security policy are still missing.
"As the version number suggests, this is a very early release," Sobrier said Monday in a blog post. "I have been using the extension for several weeks without any problems, but it should be considered an alpha release."
The missing features will be added in future versions, the researcher said. For now, the primary goal is to share the source code for the IE version with the EFF and make it available through their website, he said.
In the meantime, people who want to use or try out HTTPS Everywhere for Internet Explorer can download it from a dedicated page on Zscaler's website.
However, this reporter had trouble accessing Wikipedia.org with the add-on enabled in the latest version of Internet Explorer 9 running on a 64-bit installation of Windows 7 Ultimate, so it seems that there are still some bugs to fix.
While this extension sounds like a good tool to have, it remains to be seen how many IE users will actually be interested in using it.
"IE users tend to be more passive and accepting of the default app, rather than adding DIY [do it yourself] extensions -- especially those with a security function," David Harley, a senior research fellow at antivirus vendor ESET, said Wednesday via email.
"I'm not convinced that it will be widely adopted unless Microsoft actually promotes it or, more likely, includes something similar in a future release," Harley said. "It might appeal to security hobbyists, but that's the group that's least likely to use IE."
Harley believes that adoption in corporate environments, where IE has a very strong user base, is also unlikely, at least with the extension's current limitations and at this early stage of development.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!