[tor-dev] [HTTPS-Everywhere] [GSoC] HTTPS Everywhere secure ruleset update mechanism update
Yan Zhu
yan at torproject.org
Tue Jul 8 10:47:31 UTC 2014
(resending to tor-dev with tp.o email address)
On 07/08/2014 03:42 AM, Yan Zhu wrote:
> On 07/08/2014 12:07 AM, Jeroen Massar wrote:
>> On 2014-07-07 20:40, Red wrote:
>> [.. lots of cool work being worked on ..]
>>
>> Hi Zack,
>>
>> Seems you are doing lots of cool stuff ;)
>>
>> But I am one of those strange people who really hate it that every
>> separate tool has their own updater (which can be used for tracking a
>> user, as the set of updater tools polling servers makes a fingerprint in
>> the same way other flows make a fingerprint).
>
> Hi Jeroen,
>
> This makes a lot of sense. I'm aware of the fingerprintability concern,
> and EFF tech projects generally try to mitigate it by polling the update
> servers at randomized intervals over fresh Tor circuits if possible. For
> this project, we initially proposed polling for an update when the
> browser starts and every 3 hours plus some random, evenly-distributed
> number of milliseconds between 0 and 300000. I'm curious if others have
> more refined suggestions!
>
>>
>> And thus I run Little Snitch and block those updates. Till I deem it a
>> good time for the update to be done and trigger it manually.
>>
>> As such, when you get to the stage of adding features, it would be good
>> if there was:
>> - an option to disable the auto fetching
>
> Yes, this would be fairly easy to add.
>
>> - an option to trigger the fetching
>
> Probably also easy.
>
>> - to feed the update mechanism with a pre-fetched file
>> (eg provided through a different update mechanism)
>
> Since the update mechanism is just an XHR that downloads a new ruleset
> library from a hardcoded static URL and replaces the existing one in the
> Firefox profile directory, you could fetch-and-replace this manually via
> any number of mechanisms. :)
>
> Also, the ruleset libraries will still ship with extension updates, so
> you could disable ruleset updates and just wait for the next HTTPS
> Everywhere release.
>
> -Yan
>
>>
>> Greets,
>> Jeroen
>>
>> _______________________________________________
>> tor-dev mailing list
>> tor-dev at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>>
>
>
>
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
>
--
Yan Zhu <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation https://www.eff.org
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
More information about the tor-dev
mailing list