Hello everyone! Sorry about the fact that I haven't made a report in a few weeks. It's been a busy time for me. With that said, I have been getting quite a bit of work done on my project to build a secure ruleset updating mechanism for the HTTPS Everywhere Firefox browser extension. In my last report, I talked about the fact that I had been struggling with finding an appropriate solution to the problem of generating an appropriate signature on (the digest of) the update information provided by an update.json file. The problem was brought to some other core developers and it was decided that we would use an existing tool included in recent versions of the NSS tools. Since then, I have been working to integrate my updater into the existing HTTPS Everywhere codebase, which had involved quite a bit of refactoring. I have succeeded in getting the mechanism functional in the extension and have also taken care of keeping the master branch I was working off of up to date. This means that my feature will be able to be pulled into the newly released HTTPS Everywhere 5.0 development release as soon as it's been even more thoroughly tested! I am once again having an issue with signature verification. My mentor, Yan, had found a method of (as described above) using NSS tools to generate a signature that the Mozilla XPCOM component designed to do so could understand and verify. I have not been able to successfully repeat this process in a way that produces a signature that my ruleset updating mechanism has been able to verify the authenticity of the signature produced. The good news is that once this issue is resolved, the feature should be working just right and all that will remain will be to: 1. Add some elements to the UI to configure the updater. 2. Reset some preferences that were provided defaults for testing purposes. 3. Add another simple test to the ruleset update authenticity check to verify that the source URL is an EFF domain. I don't anticipate that these will be difficult changes at all.
You can follow my progress by watching my fork of the repository on github and keeping an eye on the branch I am developing: https://github.com/redwire/https-everywhere/tree/rulesetUpdating As always, constructive feedback and ideas are always welcome!
Thanks, Zack