Free Firefox Tool Fights Search Hijacking

A free tool for the Mozilla Firefox Web browser that can counter search hijacking on computer networks in the United States has been released by the Electronic Frontier Foundation (EFF) and the Tor Project.

The tool, called HTTPS Everywhere, has been in beta since June of last year. Version 1.0 of the tool adds support for hundreds of more websites.

According to a report that appeared in the New Scientist yesterday, millions of Internet users in the United States are having their search results hijacked and redirected by some Internet Service Providers (ISPs), using a service provided by a company called Paxfire. That company and an ISP were targeted in a class action lawsuit filed yesterday in New York by Reese Richman, a law firm that specializes in consumer protection, and Milberg, a firm most noted for its shareholder rights suits.


By monitoring web searches, the providers want to find out what websites are most popular with their users and turn that knowledge into cash, the report explained. HTTPS Everywhere can thwart such tactics, according to the EFF.

How HTTPS Everywhere Works

The tool--through a set of carefully-crafted rules--automatically shifts the browser's settings from an unsecure operating mode, HTTP, to a secure one, HTTPS. HTTPS can protect Web surfers from various Internet security and privacy problems, including search hijacking on U.S. networks.


EFF Senior Staff Technologist Peter Eckersley says "HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed."

"Without HTTPS," Eckersley continued, "your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking. Today's Paxfire revelations are a grand example of how things can go wrong."

"EFF created HTTPS Everywhere to make it easier for people to keep their user names, passwords, and browsing histories secure and private," he added. "With the revelation that companies like Paxfire are out there, intercepting millions of people's searches without their permission, this kind of protection is indispensable."

With HTTPS Everywhere, connections can be encrypted to Google Image Search, Flickr, Netflix, Apple, and news sites like NPR and the Economist, as well as dozens of banks. It also supports connections to Google Search, Facebook, Twitter, Hotmail, Wikipedia, the New York Times and hundreds of other popular websites.

The tool, though, can offer only a measure of protection for web users, since all websites haven't implemented HTTPS. "More websites should implement HTTPS to help protect their users from identity theft, viruses, and other security threats," says Senior Staff Technologist Seth Schoen."Our Firefox extension is able to protect people using Google, DuckDuckGo or StartingPage for their searches. But we currently can't protect Bing and Yahoo users, because those search engines do not support HTTPS."

More comprehensive protection against Internet nasties can be obtained with Virtual Private Network (VPN) software, such as the free Hotspot Shield, or the for-pay AlwaysVPN, wrote Preston Gralla for PCWorld. "But for quick-and-easy free protection at popular Web sites, HTTPS Everywhere is a great choice," he added.