For example, I type superuser.com in the browser bar of Firefox, but it automatically goes to the HTTP site. I want the HTTPS site by default.
Asked
Active
Viewed 1.3k times
39
-
7`https://superuser.com` works for me. – DavidPostill Jul 16 '16 at 15:38
-
6Please clarify: Are you asking for a solution for [su] *specifically*, or do you want *all* web-type requests to go over HTTPS if you don't explicitly specify HTTP as the protocol? – user Jul 16 '16 at 20:22
-
2Just curious, why would you use HTTPS on Stack Exchange? – ysap Jul 17 '16 at 02:01
-
10@ysap Because I don't want someone to steal my credentials? See [this post](https://webmasters.stackexchange.com/questions/96238/what-is-the-benefit-of-forcing-a-site-to-load-over-ssl-https) – cat Jul 17 '16 at 02:58
-
16@ysap , also by using HTTPS everywhere you help others - including future you. Maybe *now* you don't have any reason (that you know of) to keep the connection encrypted, but maybe in the future you will have one; by using HTTPS even when "not needed", you provide plausible deniability. In the same vein, if everyone uses HTTPS everywhere, then you can use HTTPS without automatically singling yourself out. Finally, the more websites use HTTPS, the more pressure on non-HTTPS sites to update. – hmijail Jul 17 '16 at 13:32
-
2@cat True, but Super User (and all of Stack Exchange) does use HTTPS for the login pages; the rest of the time sensitive areas are secured using a complicated token system. – AStopher Jul 17 '16 at 21:19
-
@cybermonkey Right but that's only 1 of the many bullet points in the post cat linked. – Insane Jul 18 '16 at 09:06
-
2@ysap lots of reasons. a/ because you don't trust whoever is providing the network, b/ because you don't trust everyone on that network. c/ because you don't trust the whole chain of routing. Trust that: a/ they don't alter what you are receiving (adding ads, censoring words...) b/ they don't alter what you are sending (which can be bad) c/ they don't capture and reuse your credentials (very bad) d/ they don't intercept confidential information (but if confidential information is transmitted over http, you probably have bigger problems) – njzk2 Jul 18 '16 at 13:31
-
@ysap another good reason is [HTTP2](https://en.wikipedia.org/wiki/HTTP/2) – Gruber Jul 18 '16 at 15:19
-
Firefox 76 has this feature now built-in!! – Melroy van den Berg Dec 02 '20 at 03:58
3 Answers
70
Another alternative is HTTPS Everywhere. It's available for Firefox, Chrome and Safari.
Since it is developed from the collaboration between EFF and the TOR project, I tend to believe this plugin more.
It's also open source and available under GPLv3 license.
Sibi
- 701
- 5
- 8
-
4Unfortunately, there is a bug which breaks the web socket related live updates on SE last I checked and reported it. – Alexander O'Mara Jul 17 '16 at 06:54
-
Where is the download for safari with site only mentions chrome and FF? – 2426021684 Jul 17 '16 at 23:11
-
@2426021684 Checkout the first link in my answer. You will find the links there. – Sibi Jul 18 '16 at 10:39
-
6Please note that HTTPS Everywhere has a slightly misleading name. It's rule-based, so you need manually "whitelist" a website to be forced to go for HTTPS instead of HTTP if they're not [pre-configured with the addon](https://www.eff.org/https-everywhere/atlas/). It should be named **"HTTPS Everywhere Configured In the Ruleset"**. – Adi Jul 18 '16 at 15:06
17
Firefox addon "HTTPS by default" works: https://addons.mozilla.org/en-US/firefox/addon/https-by-default/?src=ss
mattdm
- 2,781
- 21
- 28
Ian Kelling
- 945
- 2
- 8
- 15
-
If my memory serves me right, this is the way to go for the time being. I do remember reading somewhere about various privacy oriented firefox derivatives coming with this addon, such as the tor brovser. – Jarmund Jul 16 '16 at 16:01
-
1
-
3@DavidPostill HTTPS Everywhere works just fine with SE, but you might need to turn on the "Stack Exchange (partial)" rule set manually. – user Jul 16 '16 at 20:21
-
-
1@DavidPostill That's because [SE hates HTTPS on Meta](https://meta.stackexchange.com/questions/265918/accessing-per-site-metas-gives-403-forbidden-from-cloudflare-nginx) ;) which should hopefully be fixed soon since CF is gone away – cat Jul 17 '16 at 02:57
-
@Mehrdad The question is specifically about Firefox, so I don't really see how Chrome would be relevant here? Though you certainly could post a separate question that asks about Chrome instead of Firefox, but in that case, *please* make it slightly clearer than this one... (see comment to question) – user Jul 17 '16 at 18:29
-
@MichaelKjörling Do you have a pointer on how to do this (turn on the "Stack Exchange (partial)" rule set manually)? – DavidPostill Jul 18 '16 at 15:41
-
@DavidPostill "Pointer" I don't know... click the HTTPS Everywhere icon in the toolbar and make sure it isn't crossed out. – user Jul 18 '16 at 18:00
2
Well, you can't do this automatically, there is no option in Firefox, like browser.urlbar.*, for this.
So you either use one of the browser extensions mentioned in the other answers here, or as I'd suggest (avoiding usage of browser extensions you don't really need), just make sure that you bookmark https://superuser.com instead of http://superuser.com.
Now you can just type superuser.. in the browser bar and find the right link.
You can also restrict the suggestions in the url bar by using specific characters, for example, using * somtehing (Asterisk) only finds matches in your bookmarks.
More examples: here
One more thing about HTTPS Everywhere: In addition to the issue with requiring predefined rules (as mentioned here in this comment), there is (or was, maybe they adressed this in the meantime) also the problem that HTTPS Everywhere saves the user preferences into the prefs.js inside your Firefox profile directory.
So you end up with a lot of user_pref("extensions.https_everywhere.SITE, BOOL); lines in your prefs.js, maybe even thousands of entries that increase the size of this file and slows down load time. Not to mention possible privacy issues.
