[tor-bugs] #27513 [HTTPS Everywhere/EFF-HTTPS Everywhere]: Add-on for redirecting users to onion site

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 7 03:32:19 UTC 2018 

#27513: Add-on for redirecting users to onion site
-------------------------------------------------+-------------------------
 Reporter:  cyberpunks                           |          Owner:  legind
     Type:  enhancement                          |         Status:  new
 Priority:  Low                                  |      Milestone:
Component:  HTTPS Everywhere/EFF-HTTPS           |        Version:
  Everywhere                                     |
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by legind):

 You also didn't give consent to access `eff.org` for HTTPS Everywhere
 extension updates, or `addons.mozilla.org` for NoScript extension updates,
 but that's what Tor Browser has been doing for the better part of a
 decade.  It's one of the ways that we are able to ship quick fixes if
 vulnerabilities are found, or updates to the coverage for HTTPS sites.  In
 fact, rolling HTTPS Everywhere ruleset updates improves the anonymity
 guarantees of the Tor Browser by ensuring that you can't be fingerprinted
 by clever techniques that differentiate your version of the HTTPS
 Everywhere rulesets from everyone elses.

 "Self-hosted add-on" in your case means that it updates instead from the
 server of some random person with no established credibility, which is
 laughable.  I don't think that's any better than `addons.mozilla.org`.  At
 best, it's a misleading statement.

 HTTPS Everywhere is developed by the EFF in collaboration with the Tor
 Project.  You're already trusting the Tor Project for updates to the Tor
 Browser.  Fetching these rulesets from https://www.https-rulesets.org/
 allows users to ensure comprehensive HTTPS coverage, and isn't comparable
 to an extension that forces onion service connections despite user
 preference.

 Custom ruleset channels in HTTPS Everywhere also allow users to limit a
 ruleset update channel by scope.  So if a user subscribes to an auto-
 redirection channel, they can enter the regex `http://[^/]+\.tor/` to
 ensure that it only acts on the `.tor` pseudo-TLD.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27513#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list