[tor-dev] GSoC Report - Zack Mullaly - HTTPS Everywhere secure ruleset update mechanism

Red redwire at riseup.net
Fri Jun 20 22:01:05 UTC 2014


Hello again everyone,
I am here once again to report my progress in building a secure ruleset
updating mechanism for the HTTPS Everywhere browser extension.  This
past week's work has involved a lot of updates to the specification for
the mechanism[1], and changing a lot of what I had done before to keep
up with all of the changes. 

With regards to the documentation, a great deal of the changes being
discussed about the order that tests of authenticity of the update
information as well as its relevant have been finalized.  There is now a
"Pseudocode of the update procedure" section that outlines this order
that tests are performed and also gives an idea of what data the
mechanism requires, where it's obtained from, and how it changes that
data.  I have also added extensively to the "update.json  and
update.json.sig" section to outline everything anyone should need to
know from generating update.json to getting a properly-encoded signature
of the digest of update.json that can be verified by the extension.  The
document is now also included as part of the repository so that pull
requests and better commenting can be made.

I have also been making a lot of improvements to the utility script used
for building the content of update.json[2].
The script has been completely revamped to work in accordance with the
modified spec.  I have also included a few
sanity checks to verify that the content provided for update.json make
sense, and made it very easy to write more such checks.

I spent most of today getting the actual ruleset updater module[3][4]
code up to date.  The code now reflects the changes to the new standard
and has been simplified dramatically.

As usual, I have my meeting notes available as a Gist[5].  The notes
from the meeting I had today with Yan are already present.  My plans for
the coming week are to set up a testing environment and begin making
sure everything works as expected.  I will also begin the discussion
about how the extension should handle error reporting- what to do when
authenticity tests fail, or the extension can't fetch the update
information.

Please feel free to take advantage of the update spec being part of the
repository now to discuss the details and/or propose changes in the form
of a pull request.  Either this or the https-everywhere mailing list are
also great places to get in touch with myself and everyone who has been
involved in my work.

Cheers,
Zack

[1] :
https://github.com/redwire/https-everywhere/blob/makeJSONManifest/doc/updateJSONSpec.md
[2] :
https://github.com/redwire/https-everywhere/blob/makeJSONManifest/utils/ruleset_update_manifest.py
[3] :
https://github.com/redwire/https-everywhere/blob/rulesetUpdating/src/chrome/content/code/rulesetUpdate.js
[4] :
https://github.com/redwire/https-everywhere/commit/1a0d5edb8572180854ad620ff2b9f2f5a9cba483
[5] : https://gist.github.com/redwire/b62f03905a826e79947a#week-6

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 341 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140620/a06ec1b3/attachment.sig>


More information about the tor-dev mailing list