[HTTPS-Everywhere] [tor-dev] [GSoC] HTTPS Everywhere secure ruleset update mechanism update

Yan Zhu yan at eff.org
Tue Jul 8 03:42:57 PDT 2014 

On 07/08/2014 12:07 AM, Jeroen Massar wrote:
> On 2014-07-07 20:40, Red wrote:
> [.. lots of cool work being worked on ..]
> 
> Hi Zack,
> 
> Seems you are doing lots of cool stuff ;)
> 
> But I am one of those strange people who really hate it that every
> separate tool has their own updater (which can be used for tracking a
> user, as the set of updater tools polling servers makes a fingerprint in
> the same way other flows make a fingerprint).

Hi Jeroen,

This makes a lot of sense. I'm aware of the fingerprintability concern,
and EFF tech projects generally try to mitigate it by polling the update
servers at randomized intervals over fresh Tor circuits if possible. For
this project, we initially proposed polling for an update when the
browser starts and every 3 hours plus some random, evenly-distributed
number of milliseconds between 0 and 300000. I'm curious if others have
more refined suggestions!

> 
> And thus I run Little Snitch and block those updates. Till I deem it a
> good time for the update to be done and trigger it manually.
> 
> As such, when you get to the stage of adding features, it would be good
> if there was:
>  - an option to disable the auto fetching

Yes, this would be fairly easy to add.

>  - an option to trigger the fetching

Probably also easy.

>  - to feed the update mechanism with a pre-fetched file
>    (eg provided through a different update mechanism)

Since the update mechanism is just an XHR that downloads a new ruleset
library from a hardcoded static URL and replaces the existing one in the
Firefox profile directory, you could fetch-and-replace this manually via
any number of mechanisms. :)

Also, the ruleset libraries will still ship with extension updates, so
you could disable ruleset updates and just wait for the next HTTPS
Everywhere release.

-Yan

> 
> Greets,
>  Jeroen
> 
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> 


-- 
Yan Zhu  <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation                  https://www.eff.org
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x134

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140708/5505e382/attachment.sig>

More information about the HTTPS-Everywhere mailing list