[iKenshu]

So, even if I'm using the extension HTTPSEverywhere I'm safe?

[wskinner]

HTTPSEverywhere will not magically upgrade a site that doesn't serve HTTPS to HTTPS. If you connect to a site that doesn't support HTTPS, you are vulnerable.

[iKenshu]

Oh I see, Thanks for the answer! For what is useful the extension then?

[thecrazyone]

The extension makes you use the HTTPS connection when the site you are connecting to is known to support HTTPS.

Websites can automatically redirect to HTTPS if the client connects on http, but many websites don't redirect

[kzahel]

It has the option to block HTTP traffic, making sites that don't support HTTPS unusable.

You could create a separate "secure" profile and feel safe that all traffic is secured, while still being able to browse HTTP in another profile, for instance.

[spsful]

Theoretically. The extension can refuse to load sites that aren’t using HTTPS, but the real flaw is sites that use SSL instead of TLS. Attackers can reject SSL but they can’t do anything about TLS, so the security of your browsing would be affected by the website’s HTTPS configuration, and whether they use SSL, TLS, or both (the only 100% safe method is TLS only). I know for most people disabling SSL and going TLS-only isn’t high on their list of priorities so I expect this attack to be very successful on the internet as it is right now.