Zscaler HTTPS Everywhere Tool Comes to Internet Explorer

A researcher with Web security firm Zscaler has developed a version of the tool to redirect IE users to HTTPS versions of the sites they visit.

Internet Explorer users will now be able to get their hands on a free tool that forces the browser to use the HTTPS version of a site whenever possible.

Designed by Zscaler, the tool builds off the HTTPS Everywhere extension developed by the Electronic Frontier Foundation (EFF) and The Tor Project for the Mozilla Firefox and Google Chrome browsers. The Zscaler tool takes these capabilities to Internet Explorer, which the company said is used by 52 percent of the enterprise world as well as 49 percent of all Web users.

HTTPS layers the Hyper Text Transfer Protocol (HTTP) on top of the Secure Sockets Layer (SSL) protocol to add extra security to Web sessions. It is often used by Websites as a barrier to prevent man-in-the-middle attacks and to secure Website cookies.

"The use of hotspots in airports, coffee shops, etc., is becoming more and more prevalent," Julien Sobrier, senior security researcher at Zscaler's ThreatLabZ, told eWEEK. "Anybody on such open wireless networks can spy on unsecure HTTP traffic to gather personal information and user credentials. The same problems occur for people using Tor. By switching to HTTPS, users keep their information and credentials safe."

Many sites have recently taken to using HTTPS more extensively. For example, Facebook has moved to an always-on HTTPS for North American users. Twitter also moved to enable always-on HTTPS this year as well, and Google did the same for Gmail users back in 2010. Google also took the step of redirecting users signed into their Google accounts to the HTTPS version of Google.com to encrypt the searches they perform and the results they receive.

The HTTPS Everywhere tool by Zscaler has been in development for about six months, Sobrier told eWEEK. In a blog post, Sobrier explained that the tool works by redirecting users to HTTPS URLs based on a set of rules. Switching from HTTP to HTTPS is not as easy as it should be, as many domains have not designed their Websites to be accessed securely, he blogged.

"The HTTPS Everywhere rules define which domain name can be accessed over HTTPS and how URLs need to be translated," he wrote. "For example, http://www.google.com/ should be translated into https://encrypted.google.com/. Some sections of Websites may not be available over HTTPS and the rules take care of these exceptions."