[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates
Yan Zhu
yan at eff.org
Thu Jun 12 11:55:04 PDT 2014
On 06/12/2014 08:05 AM, Jacob Hoffman-Andrews wrote:
> One thing I've been meaning to follow up on: The spec currently says "
> The ruleset database will be served as a ZIP file." I mentioned that
> Content-Encoding: gzip at the HTTP level would be simpler and offer
> similar compression. Yan's objection was that this could enable the
> BREACH attack. However, the BREACH attack only applies when there is
> both user-controllable content and secret content returned from a given
> URL. The ruleset database has neither.
>
My concern wasn't compromising the confidentiality of the ruleset file
(it's fairly public anyway) due to BREACH, but rather that Tor Browser
users will soon have a convenient way to disable gzip by default in the
browser. Assuming there is no fallback-to-uncompressed option set up on
the server, this would initially prevent them from auto-updating.
But it turns out this concern is probably moot, because we serve
https://www.eff.org/files/https-everywhere-update-2048.rdf with
content-encoding: gzip anyway.
-Yan
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
>
--
Yan Zhu <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation https://www.eff.org
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140612/8e516a45/attachment.sig>
More information about the HTTPS-Everywhere
mailing list