Eye-opening plugin. I like that it gives you the power to do something about the lack of security over which my personal stuff flies around the Internet. For example, I was surprised to discover that every single click on Facebook takes you to the http version of the site, even when you choose the SSL channel over and over again.
Introduces a little bit of browser latency on page load, and has some latency when switching channels.
I have made the choice at this time to not use EFF's 'HTTPS Everywhere' but, with or without the latter, 'SSL Button' is most and pertinent and valuable. I most appreciate it for bookmarked sites when I discover with this add-on that they have a SSL connection available. Nice achievement, positioned just left of the Urlbar, immediate notification. More than handy.
[MY APOLOGIES: when I foolishly tried to consolidate my original review with my later comments replying to developer, this apparently deleted the the developer's reply as well!]
Having a RED icon just because an https version of the site exists is too alarming for some users, and we don't want to numb them to red icons so that they ignore it when WOT, LinkExtend, Webutation, or other addons show a red icon.
Maybe use red only if the user has previously visited the https site, which indicates that he may have intended to do so this time. If I've never used the https version of google, I don't want to be so strongly told that it exists, though some less-alarming indication would be useful.
I do like the idea that it identifies an https alternative version of the site without automatically redirecting you there like Find Https(?).
Actually the feature I like best is that the add-on helps warn you when you're on an https site with certificate problems even when you've already entered an exception for it into firefox. As soon as you add the exception, most other ssl addons treat it as being just as safe as a site with no issues at all. Calomel (?) also warns of similar, but it is even more alarmist in displaying a huge blood-red icon even when the site merely isn't using the latest and greatest cryptographic strength, which isn't nearly as dangerous as a potential phishing site.
EDIT: THE REST OF MY REVIEW HERE IS MY RESPONSE to developer's reply down below.I've added a star for your prompt response and explanation.
Andrew, good points. But it isn't necessarily *less* dangerous to submit information insecurely just because there is *no* obvious ssl version of the page, so why "panic" only when there is an ssl version of the page. To me, a red icon should indicate whether there's unusual danger that you should look at carefully before doing *anything* on that site.
If the danger specifically relates to submitting sensitive information, I think any indication of this should ideally be at the input fields instead -- where did I see a browser that makes the field background a different color when it's secure? It would also be nice to know whether a secure version *exists*, but this part should look too alarming or it just desensitizes us to bigger dangers.
Certainly if you aren't on an open wifi hotspot, the biggest danger isn't that someone is going to steal the information that you're submitting to a legitimate site (and if it's a reputable site and there's no ssl version, they shouldn't be asking you for sensitive information anyway). The biggest danger is that you aren't on the site you think you're on, in which case switching to the ssl version of the same phony site isn't going to solve this problem! I would say that if you got there by following a link in email for example, why would the phisher have created an ssl version but directed you to the non-ssl one?
I wasn't suggesting that the add-on *store* any history, but only that you *read* history (if any exists) that's already been stored in the browser, to determine whether the user has visited the ssl version in recent months.
Also, how about trying to guess whether information is sensitive, like a password field or if the user is trying to submit a six-to-twelve digit (numeric) ID which may be an account number or social security/tax id or a date (possible birth date)?
I do like it to be obvious that one has a choice; maybe another option could be to automatically redirect to the https version the first time, or only when you've been to the ssl version before, but provide a button to go back to the non-ssl version (and remove the just-added ssl version from history so you won't go there automatically next time.)
[MY APOLOGIES: see my note all the way at the top above.]
i am thankful to u for creating such a simple add-on to work around the secured alternate ways with just one click. it is complete by itself u don't need anything else . i recommend for others to try it out.
This extension appears to work fine with Firefox 5.0, I'm not sure why it hasn't been updated to indicate it's compatible. I used Nightly Tester Tools to disable the extension compatibility check. Editing the install.rdf and manually overriding the version check also works. Please update the extension's version check, this is a handy extension.