[tor-bugs] #27551 [- Select a component]: Build HTTPS Everywhere with the SecureDrop custom ruleset update channel

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 7 19:04:06 UTC 2018


#27551: Build HTTPS Everywhere with the SecureDrop custom ruleset update channel
--------------------------------------+--------------------
     Reporter:  legind                |      Owner:  (none)
         Type:  enhancement           |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Normal                |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |   Reviewer:
      Sponsor:                        |
--------------------------------------+--------------------
 Related: https://github.com/freedomofpress/securedrop/issues/3668,
 https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-
 update-channels.md, https://blog.torproject.org/cooking-onions-names-your-
 onions

 Blocked by: https://trac.torproject.org/projects/tor/ticket/10394

 There has been some discussion on the SecureDrop issue tracker on the
 possibility of FPF maintaining their own SecureDrop custom rulesets update
 channel.

 A "ruleset" is a strictly formatted XML file that defines how HTTPS
 Everywhere issues redirects.  HTTPS Everywhere comes bundled with
 thousands of these rulesets that tell it how to secure sites.  An "update
 channel" is a new way for HTTPS Everywhere to have rulesets delivered to
 the extension without publishing a new version of the extension itself.
 Rulesets are periodically checked for on a publicly accessible, known URL
 and verified via the WebCrypto API, see https://github.com/EFForg/https-
 everywhere/blob/master/docs/en_US/ruleset-update-channels.md#update-
 channel-format--logic for more info on how this works.  Currently the Tor
 Browser includes the `EFF (Full)` update channel.  Requests to the update
 channels to check for ruleset updates are made every 24 hours.

 The idea here is for FPF to maintain its own update channel which forwards
 URLs of the format `http://0.0.0.0/theintercept.com.securedrop` to the
 onion URL for that SecureDrop instance.  This gives a few distinct
 advantages:

 1. It allows easier discovery of SecureDrop sites
 2. It allows FPF to quickly rotate keys in case of key compromise or
 vulnerabilities, as has happened in the past with HeartBleed
 (https://freedom.press/news/securedrop-and-the-openssl-vulnerability/)
 3. If someone accesses a site of this format in Chrome browser, it will
 not leak the DNS request.  This provides no additional security in
 Firefox, since Firefox already blocks DNS requests for the `.onion`
 pseudo-TLD.

 Understandably, Tor Browser may be wary of adding an additional update
 channel, maintained by another entity, which has the arbitrary ability to
 redirect URLs.  That's why HTTPS Everywhere has added the concept of
 `scope` to update channels.  `scope` defines some regular expression for
 URLs on which a ruleset update channel is allowed to operate.  For
 instance, in the case of SecureDrop, you can define the scope to be
 `https?://0\.0\.0\.0/[^/]+\.securedrop($|/)` so that this update channel
 only operate on URLs of the format given above.

 This update channel would have to be added to HTTPS Everywhere for the Tor
 Browser (in https://github.com/EFForg/https-
 everywhere/blob/master/chromium/background-scripts/update_channels.js) at
 build-time.  Since all customizations are overwritten when the extension
 is updated, this is also blocked by
 https://trac.torproject.org/projects/tor/ticket/10394

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27551>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list