[HTTPS-Everywhere] GSoC report - Zack Mullaly - HTTPS Everywhere secure ruleset update mechanism

Red redwire at riseup.net
Fri Jun 13 17:06:59 PDT 2014


Hello, everyone!
I apologize for the fact that this is coming in late, but here is a
summary of my progress and plans thus far in developing a secure ruleset
update mechanism for the HTTPS Everywhere browser extension.

The specification document detailing how the ruleset updater will
function has been perhaps the greatest focus for me until now. The
document is currently hosted on Github as a gist[1], and currently
details the format for the JSON document the extension will fetch to
determine whether the update information it receives is authentic and
relevant.

A second task I have been working on is the creation of a utility[2]
used to automate much of the process of building the update.json file
contents outlined by [1]. A lot of the work done here so far has been
experimental, but it is already providing some utility for composing
data that can be used for testing purposes.

The third thing I have been working on is the actual implementation of
the ruleset updater[3].  There are to be some changes to the spec that
will be reflected in this code in the coming week, but the
implementation so far is very close to being ready to test.

In the last week, a lot of discussion has occurred centered around
improving the specification for the ruleset update mechanism and how the
update.json file and signing thereof should function and be written.  I
have posted my weekly meeting notes to another gist[4] which I will from
today onwards be keeping up to date with my weekly notes so that they
will be publicly available and well-formatted.  In summary, my upcoming
work will involve updating the update.json spec to reflect the
discussion being had on the https-everywhere mailing list and between
myself and my mentor, Yan.  I will then focus on updating the extension
code as well as the utility I have been working on to reflect the
changes to the spec.  I will then move on to testing the signature
verification method locally by creating example documents and a Python
script to verify the signature.  I will also be setting up a testing
environment to properly test my work on the ruleset update mechanism.

My work can be more closely followed on Github- specifically, my fork of
the official HTTPS-Everywhere repository[5].  The code I have been
working on resides in my "makeJSONManifest" and "rulesetUpdating"
branches.  You can also follow the discussion on the https-everywhere
mailing list, and are welcome to join in mine and Yan's weekly meetings
in #https-everywhere on irc.oftc.net at 11:00AM Pacific Time on
Fridays.  We're happy to have people chime in with ideas, and commentary
in IRC, the mailing list, and on Github is welcome!

[1]: https://gist.github.com/redwire/2e1d8377ea58e43edb40
[2]:
https://github.com/redwire/https-everywhere/blob/makeJSONManifest/utils/ruleset_update_manifest.py
[3]:
https://github.com/redwire/https-everywhere/blob/rulesetUpdating/src/chrome/content/code/rulesetUpdate.js
[4]: https://gist.github.com/redwire/b62f03905a826e79947a
[5]: https://github.com/redwire/https-everywhere

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 341 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140613/ae0825a0/attachment.sig>


More information about the HTTPS-Everywhere mailing list