How to use Enforce Encryption
- Go to the encrypted (HTTPS) version of the webpage.
- Right-click somewhere on the page and choose "Page Info" from the menu.
- Switch to the "Security" tab.
- Make sure that the checkbox next to "Enforce encrypted connection?" is checked.
The setting applies to all pages of a site. You can also uncheck the checkbox to allow unencrypted connections for this site again.Why you should care about encrypting connections
If you use an unencrypted connection then everybody can listen in and see or manipulate all data that is being transmitted. They can learn what you like reading, they can impersonate you on the services you are using and they can inject their content into the webpages you are viewing. That content might be a fake news article, advertising or even malicious code intended to infect your computer.
How do people listen in? They can do this for example by being in the same public wireless hotspot as you, or by being an employee of your Internet provider, or by working for a government agency like the NSA. If you use encrypted connections then you make spying on you or messing with you a lot harder.How Enforce Encryption helps
Many websites support both encrypted and unencrypted connections. If you are lucky, your password will be sent over an encrypted connection but other than that you have to switch to HTTPS manually. However, remembering this is very tedious, e.g. when you get to the website via a search engine or an old history entry.
There are other websites that will always redirect you to an encrypted version of their website. However, before they can redirect you your browser will contact the website over an unencrypted connection - and that's a chance for an attacker to manipulate the request and to keep you on an unencrypted connection (SSL Stripping). And if you don't pay attention you've lost.
Firefox has a built-in mechanism that can solve both issues by making sure that you always visit a website over an encrypted connection. However, this mechanism requires the website to opt in via the Strict Transport Security header - and so far many websites still don't do it. The Enforce Encryption extension makes this setting accessible via the Page Info dialog, this way you can enforce encrypted connections even for websites that didn't opt in.Known limitations
Want more features?
- Unchecking "Enforce encrypted connection" won't produce the expected results for websites that opt into Strict Transport Security - the checkbox will be active again after you reload the page.
- A website can determine that all of its subdomains should be opted into Strict Transport Security. Unchecking "Enforce encrypted connection" on such subdomains won't work.
Enforce Encryption is intentionally kept simple. If you want to manage all aspects of Strict Transport Security you can use the Force-TLS extension
.Source code / Contributing
The extension source code is available under https://github.com/palant/enforceencryption