[HTTPS-Everywhere] Clarifying pre-submission testing and post-submission reviewing for rulesets
mezzanine at Safe-mail.net
mezzanine at Safe-mail.net
Tue May 1 23:08:06 PDT 2012
When a user produces a ruleset, a question that might arise is the
extent to which the user should test the ruleset before submitting
it. (Checking the ruleset for validity should be easy enough, but
testing every page (or even a representative sample of pages, which
may not be easy to determine) on a large Web site (i.e. a
university or large business or government agency) may take a lot
of time.) After a ruleset is submitted, it would seem prudent for
the ruleset to be checked for validity and to guard against the
possibility of attackers submitting deliberately malicious or
vulnerable rulesets. At the same time, it is not clear as to how
extensively submitted rulesets are checked (does the checking
include using the ruleset and seeing if the affected site seems to
work, for instance?) Currently, the issue of documenting the
ruleset review process is mentioned in the issue
https://trac.torproject.org/projects/tor/ticket/2160 on the Web.
Among other things, it appears that rules may be added to a
development release of the HTTPS Everywhere extension before being
added to a stable release. For efficiency, it would be ideal if the
pre-submission checking and post-submission checking did not
overlap too much, though some overlap might be inevitable.
--Richard
More information about the HTTPS-everywhere
mailing list