[tor-bugs] #8774 [EFF-HTTPS Everywhere]: Disable mixed content rulesets on FF 23+

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 18 00:41:28 UTC 2013 

#8774: Disable mixed content rulesets on FF 23+
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  micahlee       
     Type:  defect                |         Status:  assigned       
 Priority:  critical              |      Milestone:  HTTPS-E 4.0dev8
Component:  EFF-HTTPS Everywhere  |        Version:                 
 Keywords:                        |         Parent:  #6975          
   Points:                        |   Actualpoints:                 
----------------------------------+-----------------------------------------
Changes (by micahlee):

  * status:  new => assigned
  * owner:  pde => micahlee


Comment:

 Ok, so me and Lisa have decided to try to cram to fix this bug and also
 #8776 in the next two weeks. We also want to try to mark far more rules
 that cause mixed content bugs as platform="mixedcontent".

 A quick scan of the current stable rules shows that:

 There are 3039 total stable rules
 There are 323 rules that are default_off
 2 of the default_off rules are marked mixed_content
 16 of the other 2716 rules are are marked mixed_content

 Yesterday me, Lisa, and Dan took a random sampling of 30 rules (a small
 set, I know, but we did it manually) and loaded the homepages of those
 rules in FF23. Ignoring the ones that were default_off (and the 2 that
 timed out because they were down) we found that:

 20% triggered the MCB
 80% worked fine

 Assuming that this is statistically accurate, we probably need to mark
 about 527 more rules as mixedcontent.

 mikeperry, I see your comment in #9196:

   Given that our only choices seem to be "disable a ton more rules than we
 should", "seriously degrade the user experience of HTTPS-Everywhere
 users", and "disable mixed content until it can be done right", I think
 the least invasive choice is the third one.

 I agree that there all these options kinda suck. I think disabling 20% of
 the rules might be worth it over disabling new security features that ship
 with Firefox.

 We also decided that disabling the MCB is still on the table if we run
 into trouble. If it turns out that we can't actually do all of this in
 time, or if it turns out that we have to disable significantly more rules
 than we though then we have code that's mostly ready (needs to work out
 some UI issues) to turn temporarily disable the MCB in Lisa's github repo:
 https://github.com/lisayao/HTTPS-Everywhere

 I'm also updating #9196 from turning off the MCB to marking rules as mixed
 content.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8774#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list