[tor-dev] [HTTPS-Everywhere] [GSoC] HTTPS Everywhere secure ruleset update mechanism update

Yan Zhu yan at torproject.org
Tue Jul 8 10:47:31 UTC 2014


(resending to tor-dev with tp.o email address)

On 07/08/2014 03:42 AM, Yan Zhu wrote:
> On 07/08/2014 12:07 AM, Jeroen Massar wrote:
>> On 2014-07-07 20:40, Red wrote:
>> [.. lots of cool work being worked on ..]
>>
>> Hi Zack,
>>
>> Seems you are doing lots of cool stuff ;)
>>
>> But I am one of those strange people who really hate it that every
>> separate tool has their own updater (which can be used for tracking a
>> user, as the set of updater tools polling servers makes a fingerprint in
>> the same way other flows make a fingerprint).
> 
> Hi Jeroen,
> 
> This makes a lot of sense. I'm aware of the fingerprintability concern,
> and EFF tech projects generally try to mitigate it by polling the update
> servers at randomized intervals over fresh Tor circuits if possible. For
> this project, we initially proposed polling for an update when the
> browser starts and every 3 hours plus some random, evenly-distributed
> number of milliseconds between 0 and 300000. I'm curious if others have
> more refined suggestions!
> 
>>
>> And thus I run Little Snitch and block those updates. Till I deem it a
>> good time for the update to be done and trigger it manually.
>>
>> As such, when you get to the stage of adding features, it would be good
>> if there was:
>>  - an option to disable the auto fetching
> 
> Yes, this would be fairly easy to add.
> 
>>  - an option to trigger the fetching
> 
> Probably also easy.
> 
>>  - to feed the update mechanism with a pre-fetched file
>>    (eg provided through a different update mechanism)
> 
> Since the update mechanism is just an XHR that downloads a new ruleset
> library from a hardcoded static URL and replaces the existing one in the
> Firefox profile directory, you could fetch-and-replace this manually via
> any number of mechanisms. :)
> 
> Also, the ruleset libraries will still ship with extension updates, so
> you could disable ruleset updates and just wait for the next HTTPS
> Everywhere release.
> 
> -Yan
> 
>>
>> Greets,
>>  Jeroen
>>
>> _______________________________________________
>> tor-dev mailing list
>> tor-dev at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>>
> 
> 
> 
> 
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
> 


-- 
Yan Zhu  <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation                  https://www.eff.org
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x134


More information about the tor-dev mailing list