<div dir="ltr">It used to be that you could have an add-on listing on Mozilla Add-ons but distribute the add-on itself through another site. But I can’t find any mention of that now. Did they get rid of that?<br><div><div class="gmail_extra">
<br></div><div class="gmail_extra"><div class="gmail_extra">There’s an add-on on Mozilla Add-ons called HTTP Nowhere
[1]. It sounds good, is licensed under GPL 3.0 and, according to the
author of the add-on, has been tested with HTTPS Everywhere and Tor
Browser Bundle. With a quick look at the source code, the thing that
stands out is that it stores its rules using JSON. I wonder if someone should try merging HTTPS Everywhere and HTTP Nowhere.<br></div><br>It has a not-very-nice review [2] that also mentions HTTPS Everywhere.<br><br></div>
[1] <a href="https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/">https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/</a><br>[2] <a href="https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/reviews/524316/">https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/reviews/524316/</a><br>
<div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div>--<br>Brian Drake<br><br>All content created by me: <a href="http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html" target="_blank">Copyright</a> © 2014 Brian Drake. All rights reserved.<br>
</div></div></div>
<br><div class="gmail_quote">On Tue, Jan 14, 2014 at 0430 (UTC), Yan Zhu <span dir="ltr"><<a href="mailto:yan@eff.org" target="_blank">yan@eff.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
<br>
<br>
</div><div class="im">On 01/13/2014 07:14 AM, Drake, Brian wrote:<br>
> Yay!<br>
><br>
> At the risk of being annoying, with all my recent messages about<br>
> the FAQ, this one might need updating soon:<br>
><br>
> “Q. Why isn't HTTPS Everywhere available for download from<br>
</div>> <a href="http://addons.mozilla.org" target="_blank">addons.mozilla.org</a> <<a href="http://addons.mozilla.org" target="_blank">http://addons.mozilla.org</a>> like most other<br>
> Firefox add-ons?”<br>
<br>
BTW, I really appreciate all these updates to the FAQ. We need to get<br>
our docs in shape! :)<br>
<br>
Will update when I'm back from travel. In the meantime, feel free to<br>
keep pointing them out.<br>
<div class="im"><br>
><br>
> It would also be interesting to know what the reason is for this<br>
> change. I think I’ve seen discussion about this issue, but nothing<br>
> that indicated that this change would actually be made.<br>
><br>
<br>
</div>There's a ticket for it:<br>
<a href="https://trac.torproject.org/projects/tor/ticket/9769" target="_blank">https://trac.torproject.org/projects/tor/ticket/9769</a>.<br>
<br>
Note that none of the security issues raised in that thread were<br>
actually resolved. On the contrary, Mozilla has told me that there's<br>
no way for us to sign our own extension and have it verified by users<br>
if they download it from the addons store. This is sad, because it's<br>
less protection than the Chrome web store offers (we sign the<br>
extension and updates with a key on an airgapped machine, and Chrome<br>
refuses to accept updates that are not signed with this key; the hash<br>
of the public key is actually in the URL of the extension in the<br>
Chrome Web Store).<br>
<br>
It worries me that HTTPS Everywhere in AMO is therefore only as secure<br>
as the login credentials to our AMO account + review process by<br>
Mozilla folks. :/<br>
<br>
On the other hand, pde and I decided it would be okay to put it in the<br>
Mozilla addons store in addition to hosting it from <a href="http://eff.org" target="_blank">eff.org</a> (where<br>
most users will continue to download it, probably) if we included a<br>
note on both pages about why <a href="http://eff.org" target="_blank">eff.org</a> is the more secure and<br>
privacy-respecting distribution channel of the two for HTTPS Everywhere.<br>
<div class="im"><br>
- -Yan<br>
<br>
<br>
<br>
<br>
><br>
> -- Brian Drake<br>
><br>
> All content created by me: Copyright<br>
> <<a href="http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html" target="_blank">http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html</a>> ©<br>
> 2014 Brian Drake. All rights reserved.<br>
><br>
</div><div class="im">> On Mon, Jan 13, 2014 at 1438 (UTC), Yan Zhu <<a href="mailto:yan@eff.org">yan@eff.org</a><br>
</div><div class="im">> <mailto:<a href="mailto:yan@eff.org">yan@eff.org</a>>> wrote:<br>
><br>
><br>
><br>
> On 01/13/2014 06:00 AM, Drake, Brian wrote:<br>
>> I don’t really know anything about Chrome and Opera add-ons, but<br>
>> I am surprised to see something about a “Mozilla addon store”<br>
>> being updated. This add-on is not on <a href="https://addons.mozilla.org/" target="_blank">https://addons.mozilla.org/</a><br>
>> and I don’t know what else it could be referring to.<br>
><br>
><br>
> It's not on the Mozilla store yet, but I was planning to put it<br>
> there as of this release. This is blocking on Mozilla fixing a bug<br>
> where HTTPS Everywhere won't upload to the store because Mozilla<br>
> thinks that it's there already for some reason (ugh).<br>
><br>
</div><div class="im">> -Yan<br>
><br>
>> -- Brian Drake<br>
><br>
>> All content created by me: Copyright<br>
>> <<a href="http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html" target="_blank">http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html</a>> ©<br>
>> 2014 Brian Drake. All rights reserved.<br>
><br>
>> On Sat, Jan 4, 2014 at 0149 [WST (UTC+8)], Yan Zhu <<a href="mailto:yan@eff.org">yan@eff.org</a><br>
> <mailto:<a href="mailto:yan@eff.org">yan@eff.org</a>><br>
</div><div><div class="h5">>> <mailto:<a href="mailto:yan@eff.org">yan@eff.org</a> <mailto:<a href="mailto:yan@eff.org">yan@eff.org</a>>>> wrote:<br>
><br>
>> HTTPS Everywhere 3.4.5 has been released:<br>
><br>
>> <a href="https://www.eff.org/files/https-everywhere-3.4.5.xpi" target="_blank">https://www.eff.org/files/https-everywhere-3.4.5.xpi</a><br>
><br>
>> - From the Changelog:<br>
><br>
>> 3.4.5 * Updated license * Updated README.md * Updated<br>
>> contributors list * Fix a performance bug when re-enabling<br>
>> HTTPS-Everywhere from its menu * Observatory cert whitelist<br>
>> update * Updated rules: Atlassian, Brightcove, MIT, Pidgin,<br>
>> Microsoft, Whonix, Skanetrafiken, Stack-Exchange,<br>
>> Stack-Exchange-mixedcontent<br>
><br>
><br>
><br>
>> HTTPS Everywhere for Chrome 2014.1.3 has been released:<br>
><br>
>> <a href="https://www.eff.org/files/https-everywhere-chrome-2014.1.3.crx" target="_blank">https://www.eff.org/files/https-everywhere-chrome-2014.1.3.crx</a><br>
><br>
>> - From the Changelog:<br>
><br>
>> chrome-2014.1.3 * Various ruleset fixes * Various performance<br>
>> improvements, thanks to Nick Semenkovich and Jacob<br>
>> Hoffman-Andrews! * Add LRU caching for rules * Refactor out<br>
>> unused code * Reload page when rule is disabled * Upgrade URI.js<br>
>> * Add fi translation<br>
><br>
><br>
>> (The Chrome, Opera, and Mozilla addon stores have not yet been<br>
>> updated with these releases but will be soon!)<br>
><br>
>> -Yan<br>
><br>
><br>
><br>
><br>
><br>
<br>
- --<br>
Yan Zhu <a href="mailto:yan@eff.org">yan@eff.org</a><br>
Technologist Tel <a href="tel:%2B1%20415%20436%209333%20x134" value="+14154369333">+1 415 436 9333 x134</a><br>
Electronic Frontier Foundation Fax <a href="tel:%2B1%20415%20436%209993" value="+14154369993">+1 415 436 9993</a><br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
</div></div>iQEcBAEBCgAGBQJS1L1xAAoJENC7YDZD/dnsLSMIAJJgU47Vut9sJsuvOSuvNR0J<br>
NksAJGlvEKTxSX2pII/uE9HDYPcBeWn8dlh21NWmRA9pHqwS/wsUPPADA2J2mMoQ<br>
EVS4UVhUt+4G/yAc1ovuVPI/7FgQ7zaAQRIqmOmKZXMZeY3uAAHbJ4KNm644XvVK<br>
I+kh+RBntb1hqvjhc47HU9qWWVBy+g6ZaHOuvl315CGI/KvsW7QmyvFnOTl9GX1K<br>
fMPxrmSBXq5NqTLH4ea/72m4SfA7mpZIGNrHao5blg3MxeLiWlyh0VjwJjgFMX/l<br>
A0Wu+ySPyj7xdnaCgt6MQnGfF3y7zF7vwPLV9QpsFfcZqMiKsb06Z5qDdBVg2+c=<br>
=Gwqg<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div></div></div></div>