[HTTPS-Everywhere] [HTTPS-E Rulesets] HTTPS Everywhere 3.4.5 / Chrome 2014.1.3 released

Mon Jan 13 20:30:44 PST 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 01/13/2014 07:14 AM, Drake, Brian wrote:
> Yay!
> 
> At the risk of being annoying, with all my recent messages about
> the FAQ, this one might need updating soon:
> 
> “Q. Why isn't HTTPS Everywhere available for download from 
> addons.mozilla.org <http://addons.mozilla.org> like most other
> Firefox add-ons?”

BTW, I really appreciate all these updates to the FAQ. We need to get
our docs in shape! :)

Will update when I'm back from travel. In the meantime, feel free to
keep pointing them out.

> 
> It would also be interesting to know what the reason is for this
> change. I think I’ve seen discussion about this issue, but nothing
> that indicated that this change would actually be made.
> 

There's a ticket for it:
https://trac.torproject.org/projects/tor/ticket/9769.

Note that none of the security issues raised in that thread were
actually resolved. On the contrary, Mozilla has told me that there's
no way for us to sign our own extension and have it verified by users
if they download it from the addons store. This is sad, because it's
less protection than the Chrome web store offers (we sign the
extension and updates with a key on an airgapped machine, and Chrome
refuses to accept updates that are not signed with this key; the hash
of the public key is actually in the URL of the extension in the
Chrome Web Store).

It worries me that HTTPS Everywhere in AMO is therefore only as secure
as the login credentials to our AMO account + review process by
Mozilla folks. :/

On the other hand, pde and I decided it would be okay to put it in the
Mozilla addons store in addition to hosting it from eff.org (where
most users will continue to download it, probably) if we included a
note on both pages about why eff.org is the more secure and
privacy-respecting distribution channel of the two for HTTPS Everywhere.

- -Yan

> 
> -- Brian Drake
> 
> All content created by me: Copyright 
> <http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html> ©
> 2014 Brian Drake. All rights reserved.
> 
> On Mon, Jan 13, 2014 at 1438 (UTC), Yan Zhu <yan at eff.org 
> <mailto:yan at eff.org>> wrote:
> 
> 
> 
> On 01/13/2014 06:00 AM, Drake, Brian wrote:
>> I don’t really know anything about Chrome and Opera add-ons, but
>> I am surprised to see something about a “Mozilla addon store”
>> being updated. This add-on is not on https://addons.mozilla.org/
>> and I don’t know what else it could be referring to.
> 
> 
> It's not on the Mozilla store yet, but I was planning to put it
> there as of this release. This is blocking on Mozilla fixing a bug
> where HTTPS Everywhere won't upload to the store because Mozilla
> thinks that it's there already for some reason (ugh).
> 
> -Yan
> 
>> -- Brian Drake
> 
>> All content created by me: Copyright 
>> <http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html> © 
>> 2014 Brian Drake. All rights reserved.
> 
>> On Sat, Jan 4, 2014 at 0149 [WST (UTC+8)], Yan Zhu <yan at eff.org
> <mailto:yan at eff.org>
>> <mailto:yan at eff.org <mailto:yan at eff.org>>> wrote:
> 
>> HTTPS Everywhere 3.4.5 has been released:
> 
>> https://www.eff.org/files/https-everywhere-3.4.5.xpi
> 
>> - From the Changelog:
> 
>> 3.4.5 * Updated license * Updated README.md * Updated
>> contributors list * Fix a performance bug when re-enabling
>> HTTPS-Everywhere from its menu * Observatory cert whitelist
>> update * Updated rules: Atlassian, Brightcove, MIT, Pidgin,
>> Microsoft, Whonix, Skanetrafiken, Stack-Exchange,
>> Stack-Exchange-mixedcontent
> 
> 
> 
>> HTTPS Everywhere for Chrome 2014.1.3 has been released:
> 
>> https://www.eff.org/files/https-everywhere-chrome-2014.1.3.crx
> 
>> - From the Changelog:
> 
>> chrome-2014.1.3 * Various ruleset fixes * Various performance 
>> improvements, thanks to Nick Semenkovich and Jacob 
>> Hoffman-Andrews! * Add LRU caching for rules * Refactor out
>> unused code * Reload page when rule is disabled * Upgrade URI.js
>> * Add fi translation
> 
> 
>> (The Chrome, Opera, and Mozilla addon stores have not yet been 
>> updated with these releases but will be soon!)
> 
>> -Yan
> 
> 
> 
> 
> 

- -- 
Yan Zhu                           yan at eff.org
Technologist                      Tel  +1 415 436 9333 x134
Electronic Frontier Foundation    Fax  +1 415 436 9993
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJS1L1xAAoJENC7YDZD/dnsLSMIAJJgU47Vut9sJsuvOSuvNR0J
NksAJGlvEKTxSX2pII/uE9HDYPcBeWn8dlh21NWmRA9pHqwS/wsUPPADA2J2mMoQ
EVS4UVhUt+4G/yAc1ovuVPI/7FgQ7zaAQRIqmOmKZXMZeY3uAAHbJ4KNm644XvVK
I+kh+RBntb1hqvjhc47HU9qWWVBy+g6ZaHOuvl315CGI/KvsW7QmyvFnOTl9GX1K
fMPxrmSBXq5NqTLH4ea/72m4SfA7mpZIGNrHao5blg3MxeLiWlyh0VjwJjgFMX/l
A0Wu+ySPyj7xdnaCgt6MQnGfF3y7zF7vwPLV9QpsFfcZqMiKsb06Z5qDdBVg2+c=
=Gwqg
-----END PGP SIGNATURE-----