[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates

Jacob Hoffman-Andrews jsha at eff.org
Thu Jun 12 08:05:07 PDT 2014

One thing I've been meaning to follow up on: The spec currently says " 
The ruleset database will be served as a ZIP file." I mentioned that 
Content-Encoding: gzip at the HTTP level would be simpler and offer 
similar compression. Yan's objection was that this could enable the 
BREACH attack. However, the BREACH attack only applies when there is 
both user-controllable content and secret content returned from a given 
URL. The ruleset database has neither.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140612/81be6425/attachment.html>

More information about the HTTPS-Everywhere mailing list