[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates

Jacob S Hoffman-Andrews jsha at eff.org
Thu Jun 12 12:11:50 PDT 2014

 > My concern wasn't compromising the confidentiality of the ruleset 
file (it's fairly public anyway) due to BREACH, but rather that Tor 
Browser users will soon have a convenient way to disable gzip by default 
in the browser. Assuming there is no fallback-to-uncompressed option set 
up on the server, this would initially prevent them from auto-updating.

Ah, got it. I'm guessing the way this would work is that Tor Browser 
would choose not to send Accept-Encoding: gzip as part of its HTTP 
requests. Compliant servers would then never send back gzip-encoded 
content. For us, this would mean that updates sent to Tor Browser users 
would consume more bandwidth (for us) and take more time (for them), but 
it wouldn't be fatal.

I think let's punt on specific workarounds for that until Tor definitely 
decides whether or not to disable compression. Sentiment on the thread 
you linked seems mixed.

More information about the HTTPS-Everywhere mailing list