Force CommSec to Use HTTPS with NoScript

Use the NoScript add-on for Firefox to force the CommSec website to use HTTPS.

On 20 March 2008, I wrote about CommSec’s use of non-SSL frames pages for its online banking. Although the CommSec homepage is delivered using SSL with an Extended Validation Certificate, once you log in you’re presented with a non-SSL frames page:

CommSec without SSL

gHacks posted recently that you can use NoScript, an add-on for Firefox, to force the browser to use HTTPS for specified domains. You can use it to force CommSec to use HTTPS too.

To do this, download NoScript from here. Open the options for NoScript and go to the HTTPS sub-tab on the Advanced tab. Under ‘Force the following sites to use secure (HTTPS) connections’, enter *

NoScript HTTPS options

Now, the CommSec website should always use HTTPS:

CommSec with SSL

You can use this same method to force other websites to use HTTPS too, like Facebook or Twitter.

Remember, though, that NoScript’s primary function is to block scripts and other active content found on most websites. This is useful for security conscious users, but it’ll break most websites.

If you want to force certain websites to use HTTPS but don’t want to block scripts or other active content, you have to disable that blocking in the NoScript options.

Update: It turns out that forcing HTTPS connections for * breaks some functionality. Forcing HTTPS connections for only achieves the same goal, but without breaking anything (that I know of):

Updated NoScript HTTPS options

The reason why * doesn’t work is that CommSec doesn’t support HTTPS connections to So when you try to get a stock quote, your browser will attempt an HTTPS connection, which will fail.

Now, quotes should work, but they will be delivered over HTTP. And your browser will give you a warning to that effect.

Tags: CommSec, online banking, security, SSL