[tor-bugs] #27513 [HTTPS Everywhere/EFF-HTTPS Everywhere]: Add-on for redirecting users to onion site
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 7 03:32:19 UTC 2018
#27513: Add-on for redirecting users to onion site
-------------------------------------------------+-------------------------
Reporter: cyberpunks | Owner: legind
Type: enhancement | Status: new
Priority: Low | Milestone:
Component: HTTPS Everywhere/EFF-HTTPS | Version:
Everywhere |
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by legind):
You also didn't give consent to access `eff.org` for HTTPS Everywhere
extension updates, or `addons.mozilla.org` for NoScript extension updates,
but that's what Tor Browser has been doing for the better part of a
decade. It's one of the ways that we are able to ship quick fixes if
vulnerabilities are found, or updates to the coverage for HTTPS sites. In
fact, rolling HTTPS Everywhere ruleset updates improves the anonymity
guarantees of the Tor Browser by ensuring that you can't be fingerprinted
by clever techniques that differentiate your version of the HTTPS
Everywhere rulesets from everyone elses.
"Self-hosted add-on" in your case means that it updates instead from the
server of some random person with no established credibility, which is
laughable. I don't think that's any better than `addons.mozilla.org`. At
best, it's a misleading statement.
HTTPS Everywhere is developed by the EFF in collaboration with the Tor
Project. You're already trusting the Tor Project for updates to the Tor
Browser. Fetching these rulesets from https://www.https-rulesets.org/
allows users to ensure comprehensive HTTPS coverage, and isn't comparable
to an extension that forces onion service connections despite user
preference.
Custom ruleset channels in HTTPS Everywhere also allow users to limit a
ruleset update channel by scope. So if a user subscribes to an auto-
redirection channel, they can enter the regex `http://[^/]+\.tor/` to
ensure that it only acts on the `.tor` pseudo-TLD.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27513#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list