[HTTPS-Everywhere] https everywhere for chromium
Aaron Swartz
aaronsw at gmail.com
Fri Mar 4 23:07:33 PST 2011
I have previously made some attempts along those lines, but they've
all foundered on the fact that there is currently no way for an
extension to request the browser do something _before_ it loads a URL.
The best an extension Can currently do is redirect after the first
insecure request (which I feel is better than nothing but Perry and
Eckersley seem hesitant to promote my attempts along these lines,
perhaps because they give a very false sense of security). By
contrast, agl's HSTS implementation, which this uses, is actually
secure, but the only way to get to it programatically is by editing
the JSON file on disk. I figured more people probably have Python
interpreters than Go compilers or nonbrowser JavaScript runtimes but
I'm open to suggestions.
On Mar 4, 2011, at 8:46 PM, Chris Palmer <chris at eff.org> wrote:
> Thanks Aaron!
>
> Maybe we could implement code equivalent to Aaron's in JavaScript, and
> put that code in a Chromium extension? Then the user would not need a
> Python interpreter or to quit their browser.
>
> Maybe we could also publish the HTTPS E rules as a separate file, so
> that clients (Firefox and Chrome) could routinely snarf the one file to
> get the latest and greatest. Then rule updates would not incur a whole
> plugin update.
>
>
> On 03/04/2011 04:53 PM, Peter Eckersley wrote:
>> This is great.
>>
>> Aaron, I've made some fixes to your code in the hsts-chromium branch at:
>>
>> https://gitweb.torproject.org/pde/https-everywhere.git
>>
>> On Fri, Mar 04, 2011 at 02:09:55PM -0500, Aaron Swartz wrote:
>>> I've added a little script for Chromium that tries to parse the HTTPS
>>> Everywhere rules and generate JSON blocks for Chromium's
>>> TransportSecurity file:
>>>
>>> https://github.com/aaronsw/https-everywhere/
>>>
>>> At the very least I figure this should at least improve my own
>>> security. If it seems sensible to you, it could probably be converted
>>> into something pretty easy to run. The directions would be:
>>>
>>> 1. Quit Chromium.
>>> 2. Run this Python script (it would find, parse, and edit TransportSecurity).
>>> 3. Relaunch Chromium.
>>>
>>> Getting people to run a Python script isn't as easy as having them
>>> install a browser plugin, but you know me -- any little bit I can do
>>> to improve security.
More information about the HTTPS-everywhere
mailing list