[HTTPS-Everywhere] Clarifying the process for testing rulesets

Peter Eckersley pde at eff.org
Sat Oct 20 11:58:51 PDT 2012 

I think this just increases the urgency of working on this:

https://trac.torproject.org/projects/tor/ticket/6975

I will write a patch so that the Firefox version knows to disable mixed
content rules on version 18+.

On Sat, Oct 20, 2012 at 05:32:08AM -0700, Fruitless Creek wrote:
> Related?
> 
> "Disable insecure content loading on HTTPS pages"
> 
> https://www.mozilla.org/en-US/firefox/18.0a2/auroranotes/
> 
> 
> 
> 
> ________________________________
>  From: Peter Eckersley <pde at eff.org>
> To: mezzanine at Safe-mail.net 
> Cc: https-everywhere at eff.org 
> Sent: Wednesday, October 17, 2012 11:53 PM
> Subject: Re: [HTTPS-Everywhere] Clarifying the process for testing rulesets
>  
> On Thu, Oct 11, 2012 at 03:42:34AM -0400, mezzanine at Safe-mail.net wrote:
> > The page at https://www.eff.org/https-everywhere/rulesets talks about
> > how to create rulesets and also touches upon the step of testing a
> > ruleset. Even so, some aspects of how to test a ruleset are unclear.
> > For example, it may be the case where a specific domain or subdomain
> > appears to support HTTPS on more than one page, but with the question
> > as to whether each and every page under the domain supports HTTPS.
> > Should the tester try to visit and examine almost every page under the
> > site before submitting the ruleset? 
> 
> This is clearly not possible in many cases.  Having said that, the more
> complicated a site becomes, the more you would ideally want to have tested it
> extensively.  A good heuristic might be that if a site supports accounts, the
> ruleset author should make and use one, and try a bunch of the site's features
> to ensure that things aren't exploding.
> 
> > For that matter, how much testing and evaluation is performed on a ruleset
> > after it is submitted? Among other things, is it the case that a new ruleset
> > may be added to a development release of HTTPS Everywhere before being added
> > to a release version? 
> 
> This is almost always the case, yes, although occasionally things slip through
> in git.  With the 3.0 release, it seems as though we caught and fixed a lot of
> bugs in the new rulesets with the 3.0development releases, but another big
> wave of reports (more per unit time, fewer total, thus far) came in after the
> 3.0 release went stable.
> 
> The other testing that occurs at present is the syntax sanity checks that are
> used if you build the extension.  There are some cert-validity test scripts in
> existence, but I'm not sure if any of them know about transvalidity (missing
> intermediate CA certificates which browsers will cache, causing a cert to
> switch from invalid to valid) yet, and none are run automatically.
> 
> We have plans to try and implement/deploy an automated ruleset testing framework,
> possibly based on https://github.com/hiviah/https-everywhere-checker,
> possibly using Selenium or Marionette, but none of that is close to ready.
> 
> > It is one's presumption that it is sufficient to test
> > a ruleset prior to submission by using it with the HTTPS Everywhere
> > extension and the Firefox browser, and that it is not necessary to use
> > the Google Chrome browser, even though the HTTPS Everywhere extension
> > is available in alpha form for the Chrome browser. 
> 
> Interesting point.  Currenly, we have one major difference between the Chrome
> and Firefox platforms, which is that rulesets creating mixed content are okay
> on Firefox, but sometimes quite problematic on Chrome:
> 
> https://trac.torproject.org/projects/tor/ticket/6975
> 
> There are some rumours that Firefox is going to copy Chrome's mixed-content
> blocking strategy at some point, in which case we may have a large and sudden set
> of changes to make to the ruleset library.  It's therefore a good idea to
> start watching for and labelling rulesets as "mixedcontent" where possible.
> 
> > Although it seems sensible to subject a submitted ruleset to a certain
> > amount of post- submission testing (among other things, screening for
> > potential security issues), it would also seem advantageous for
> > pre-submission and post-submission testing of a ruleset to complement each
> > other, and to avoid (if possible) the situation where the two overlap
> > excessively.
> 
> Yup :). 
> > 
> > Ticket #2160 (https://trac.torproject.org/projects/tor/ticket/2160) on
> > the Tor Bug Tracker & Wiki talks about documenting the ruleset review
> > process for HTTPS Everywhere. The documentation that this ticket would
> > involve would be meant both for ruleset submitters and also
> > administrators/reviewers, according to the ticket description. The
> > rulesets for HTTPS Everywhere include coverage of sites that would
> > seem to be very large, such as sites for certain universities. Has
> > anyone had any experience or any comments regarding testing rulesets
> > prior to submitting them, particularly rulesets for large sites?
> 
> It feels as though the ruleset review process is still fluid enough that
> documenting it might be premature :)
> 
> -- 
> Peter Eckersley                            pde at eff.org
> Technology Projects Director      Tel  +1 415 436 9333 x131
> Electronic Frontier Foundation    Fax  +1 415 436 9993
> 
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere

-- 
Peter Eckersley                            pde at eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list