Debian: HTTPS Everywhere Critical Malware Risk Advisory DLA-4331-1
debian lts
October 14, 2025
The Firefox extension HTTPS Everywhere used to enforce encryption over HTTPS in major web browsers, a feature which has become obsolete because a HTTPS-only mode is built-in nowada...
Topics Covered
Summary
The extension requires up-to-date https rules which are obtained from the
domain https-rulesets.org. This domain is no longer controlled by the original
upstream developers and registered by a third party now. Requests are
redirected to a known malware site. This poses a severe risk for users of HTTPS
Everywhere.
As a first step to remedy this problem, version 2025.10.14-0+deb11u1 will
completely remove all files associated with HTTPS Everywhere and only install a
README file to raise the awareness for this security problem. The Debian
packages parl-desktop and progress-linux-desktop will no longer depend on
webext-https-everywhere.
The source package https-everywhere and the binary package webext-https-
everywhere will be removed from Debian in a subsequent step.
We recommend to avoid using HTTPS Everywhere and to use web browsers, e.g.
Firefox, which support HTTPS only instead. For more information, please refer
to Debian bugs #1118030 and #1118045.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: https-everywhere
Version: 2025.10.14-0+deb11u1
Debian Bug: 1118030 1118045
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!