[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates
Jacob Hoffman-Andrews
jsha at eff.org
Thu Jun 12 08:05:07 PDT 2014
One thing I've been meaning to follow up on: The spec currently says "
The ruleset database will be served as a ZIP file." I mentioned that
Content-Encoding: gzip at the HTTP level would be simpler and offer
similar compression. Yan's objection was that this could enable the
BREACH attack. However, the BREACH attack only applies when there is
both user-controllable content and secret content returned from a given
URL. The ruleset database has neither.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140612/81be6425/attachment.html>
More information about the HTTPS-Everywhere
mailing list