[tor-bugs] #9868 [EFF-HTTPS Everywhere]: Stop bundling rulesets with extension, download separately instead (like ABP)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Oct 1 23:07:03 UTC 2013
#9868: Stop bundling rulesets with extension, download separately instead (like
ABP)
----------------------------------+---------------------
Reporter: micahlee | Owner: pde
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Actual Points:
Parent ID: #9769 | Points:
----------------------------------+---------------------
Right now HTTPS Everywhere is bundled with a the file
src/chrome/content/rules/default.rulesets (~3.2mb), which is a a
concatenated list of all the xml ruleset files.
Instead we should act more like Adblock Plus, where the extension
downloads the ruleset list on first install, and then regularly checks for
updates. This is a prerequisite to #9769, so that we'll be able to release
ruleset fixes without going through Mozilla's extension update approval
process.
Right now we use an air-gapped signing machine to sign xpi and crx
packages. I think we should use this same key to sign ruleset updates,
which would probably mean some sort of signature verification in
javascript.
There's also the question of where to host the ruleset updates. Right now
the xpi file is hosted at https://www.eff.org/, but we're setting up a new
server for #7075 to receive buggy ruleset reports. Would it make sense to
use that server instead? There are privacy issues with making browsers
load from an HTTPS-E specific domain name (ruleset updates can be
censored), but I think it would be cleaner from a network architecture
perspective, especially since EFF's website traffic is a different beast
from HTTPS Everywhere update traffic.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9868>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list