This extension doesn't work always!I manually enabled Force-SSL for some sites, but extension secured only part of HTTP requests (not all of them). This was verified with proxy server (Fiddler).
I think developers of Force-TLS should do more testing, especially with forms (with non-HTTPS targets), 302 redirects and other non-standard situations.
Force-TLS uses a "redirect to https" mechanism that's imperfect, and I'm working to try and fix that for Firefox 3.6 and earlier -- it's not simple.
Firefox 4 and later have much better support for changing non-https connections to https ones, and if you install version 3 of Force-TLS you can have the UI but the add-on will use the far superior built-in HTTPS-forcing features of Firefox 4.
Please email specific issues to firstname.lastname@example.org and I'll try to fix them!
I've found the button for manually adding sites but, not for automatically launching them securely. It would be nice if there was a button in my status bar thing (the bottom panel in firefox) that would add/remove sites. Also, a universal always use HTTPS would be nice. There could then be a manual override or a blacklist type feature. Most sites I go to I really wouldn't mind the 2% overhead of knowing I'm a lot more secure.
For those that don't know: When you use https or any form of encryption for that matter there is a slight overhead (extra bandwidth) needed to send the encrypted data. This is because of two things:
1.) encrypted traffic is usually bigger than non-encrypted traffic.
2.) To enable the encryption a bit of data must first be sent back and forth so that using the magic of math both the server and your computer can learn to speak an encrypted language that no one else can understand. For more on this you could probably google cryptology.
Thanks for the review! If you've got thoughts on additional GUI features that would come in handy, please send an email to email@example.com and I'll take a look!
Great extension Sid. However I have some suggestions:
- Enabling the options button in the add-ons list so users will be able to remove the "Force TLS Configuration" tools menu entry if they want.
- Adding editing capabilities for each entry.
- Adding an option for creating and editing entries, which, for 2ndlevel.1stlevel , www.2ndlevel.1stlevel and www#.2ndlevel.1stlevel adresses, makes inherit the same setting than the adress entry containing 2ndlevel.1stlevel pair (or more levels) whatever the form the adress has, avoiding some potentially redudant duplicate entries.
- Adding import and export list buttons.
- Enabling Force-TLS to translate URLs to custom https URL, i.e., if I create an entry en.wikipedia.org , Force-TLS cannot translate it to its equivalent https://secure.wikimedia.org/wikipedia/en/wiki/
Thx in advance.
Hi strelnic. Thanks for the ideas! The next version of the add-on should have the options/preferences button enabled. I'm not sure why you'd want editing capabilities, since really you either force a site or not. Import/Export are a fine idea, and I'll try to get that into an upcoming version.
With respect to the site-rewriting rules, the Strict-Transport-Security specification doesn't provide for these, and this add-on is made for that spec. I probably won't be adding that functionality. HTTPS-Everywhere does this.
I am giving 5 to this provided my problem below can be solved.
I may be having the same problem as FourTwoOmega. When I key in a webpage to add to the list it disappears as soon as I press 'Add Site' and nothing gets added. I have tried with several different addresses. Could there be a conflict with another add-on or do I need to change any settings in Firefox?
This could be a conflict with another add-on, but is likely a corrupt profile. Try creating a new, clean profile and installing only Force-TLS. If it works, then migrate your bookmarks and stuff over and start installing other add-ons.
Works very well although I have encountered two issues. 1st it blocks facebook chat, one of the only features I use on that site. 2nd it crashes aol. Yea I know aol is obsolete but it is one of my oldest accounts and I still use it to communicate with family and have saved information i still use frequently.I wish i could figure a way around these issues because this extension is great especially now with the firesheep threat.
Please Update it for Firefox 4.0b6
Hi TBABlackPanther. Firefox 4.0 already has most of Force-TLS built in as a feature called Strict-Transport-Security.
Version 3 of Force-TLS will work in firefox 4!
This place are for Firefox not for other browsers.
If you looking for a plugin for Chrome look for this one
KB SSL Enforcer
Have just installed ForceTLS. So far there is no problem to use it
Force-TLS is definitely a good thing to have installed, especially now with things like Firesheep available to just anyone.
The only problem I'm having with it is that I can't add any sites manually; no matter what I enter for an address in the configuration window, nothing gets added, and the site still uses http by default (although stdout makes it appear that everything went fine).
Installation: What's up with being on this site yet getting two download warnings not to trust the source? Both can't be accurate.
Other versions? Like one for IE8 and/or Chrome ?
This worked great with 3.6, but not 4.0b6. Any ETA for support? Thanks!
Most of ForceTLS is already built into Firefox 4! To get the UI bits, you want to use the STS-UI add-on: https://addons.mozilla.org/en-US/firefox/addon/246797/
Got Facebook to work with no problems so far, got Google to work with a bit of effort as well. However, adding amazon.com presents a "This Connection is Untrusted" message.I shouldn't even have to add Amazon because you'd think a shopping site would use a secure connection.I also agree with the others that a list should be added.
Hi Jesuszilla, Not all sites are configured properly for completely secure access. ForceTLS may break sites if you add them to the list yourself.
I installed this and added a few sites to the list. After adding www.facebook.com, my profile picture no longer shows up on my profile or on any of my posts. After removing Facebook from the list, the picture shows up fine.
You should try adding facebook.com (instead of "www.facebook.com"), and tick the "include subdomains" check box too. Hopefully this will help. Facebook doesn't serve all of its content from one domain, so there might be some strange behaviors when using ForceTLS with the site. I tried it myself, and Facebook seemed to work fine, but send an email to the contact for this add-on if you want some help troubleshooting.
Thanks, all Vietnamese ISPs suddenly block Facebook w/o further notice or reasons, and even OpenDNS can't bypass. Thanks for your add-on, we again can experience media's freedom.
Great add-on! Two of my webmail accounts were not secure (and one from my ISP!), so this helps out a lot. And like gishpuppy, my paranoia is subsiding! Thanks Sid for the add-on and your outstanding support (I had a minor problem he helped me resolve in a timely and very customer-friendly way)!
You rock. This should be mainstreamed now.
I report a problem. When I forced some Google services e.g. Google reader, calendar, to use SSL.
it shows as *.www.google.com and the search function in the quick search doesn't work any more. i.e. if you type the key words in the search and press enter but no results showed.
no longer works with 3.7a2pre don't forces sites to https for me any longer :( now im unsecure
GREAT extension, this should have been integrated into Firefox 3.5!
Maybe... Firefox will finally "get it" before 4.0 comes out, LOL.
If it wasn't for extensions like this, NoScript, Request Policy, Ghostery, Redirect Cleaner, Better Privacy, ect.. ect... Firefox would be just as insecure as IE8.
Glad you like it! Good news: we are actually working on an implementation of Force-TLS (known now as Strict-Transport-Security) in Firefox. For more details see:
otimo, muito bom esse complemento.
This is a nice implementation that you're working on here, Sid.
Please keep working on this, i don't know why Firefox hasn't fixed this issue. We need this add on.