[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates

Yan Zhu yan at eff.org
Thu Jun 12 11:55:04 PDT 2014

On 06/12/2014 08:05 AM, Jacob Hoffman-Andrews wrote:
> One thing I've been meaning to follow up on: The spec currently says "
> The ruleset database will be served as a ZIP file." I mentioned that
> Content-Encoding: gzip at the HTTP level would be simpler and offer
> similar compression. Yan's objection was that this could enable the
> BREACH attack. However, the BREACH attack only applies when there is
> both user-controllable content and secret content returned from a given
> URL. The ruleset database has neither.

My concern wasn't compromising the confidentiality of the ruleset file
(it's fairly public anyway) due to BREACH, but rather that Tor Browser
users will soon have a convenient way to disable gzip by default in the
browser. Assuming there is no fallback-to-uncompressed option set up on
the server, this would initially prevent them from auto-updating.

But it turns out this concern is probably moot, because we serve
https://www.eff.org/files/https-everywhere-update-2048.rdf with
content-encoding: gzip anyway.


> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere

Yan Zhu  <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation                  https://www.eff.org
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x134

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140612/8e516a45/attachment.sig>

More information about the HTTPS-Everywhere mailing list