(resending to tor-dev with tp.o email address)
On 07/08/2014 03:42 AM, Yan Zhu wrote:
On 07/08/2014 12:07 AM, Jeroen Massar wrote:
On 2014-07-07 20:40, Red wrote: [.. lots of cool work being worked on ..]
Hi Zack,
Seems you are doing lots of cool stuff ;)
But I am one of those strange people who really hate it that every separate tool has their own updater (which can be used for tracking a user, as the set of updater tools polling servers makes a fingerprint in the same way other flows make a fingerprint).
Hi Jeroen,
This makes a lot of sense. I'm aware of the fingerprintability concern, and EFF tech projects generally try to mitigate it by polling the update servers at randomized intervals over fresh Tor circuits if possible. For this project, we initially proposed polling for an update when the browser starts and every 3 hours plus some random, evenly-distributed number of milliseconds between 0 and 300000. I'm curious if others have more refined suggestions!
And thus I run Little Snitch and block those updates. Till I deem it a good time for the update to be done and trigger it manually.
As such, when you get to the stage of adding features, it would be good if there was:
- an option to disable the auto fetching
Yes, this would be fairly easy to add.
- an option to trigger the fetching
Probably also easy.
- to feed the update mechanism with a pre-fetched file (eg provided through a different update mechanism)
Since the update mechanism is just an XHR that downloads a new ruleset library from a hardcoded static URL and replaces the existing one in the Firefox profile directory, you could fetch-and-replace this manually via any number of mechanisms. :)
Also, the ruleset libraries will still ship with extension updates, so you could disable ruleset updates and just wait for the next HTTPS Everywhere release.
-Yan
Greets, Jeroen
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
HTTPS-Everywhere mailing list HTTPS-Everywhere@lists.eff.org https://lists.eff.org/mailman/listinfo/https-everywhere