[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates
yan at eff.org
Thu Jun 12 11:55:04 PDT 2014
On 06/12/2014 08:05 AM, Jacob Hoffman-Andrews wrote:
> One thing I've been meaning to follow up on: The spec currently says "
> The ruleset database will be served as a ZIP file." I mentioned that
> Content-Encoding: gzip at the HTTP level would be simpler and offer
> similar compression. Yan's objection was that this could enable the
> BREACH attack. However, the BREACH attack only applies when there is
> both user-controllable content and secret content returned from a given
> URL. The ruleset database has neither.
My concern wasn't compromising the confidentiality of the ruleset file
(it's fairly public anyway) due to BREACH, but rather that Tor Browser
users will soon have a convenient way to disable gzip by default in the
browser. Assuming there is no fallback-to-uncompressed option set up on
the server, this would initially prevent them from auto-updating.
But it turns out this concern is probably moot, because we serve
content-encoding: gzip anyway.
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
Yan Zhu <yan at eff.org>, <yan at torproject.org>
Electronic Frontier Foundation https://www.eff.org
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: OpenPGP digital signature
More information about the HTTPS-Everywhere