[tor-bugs] #27551 [- Select a component]: Build HTTPS Everywhere with the SecureDrop custom ruleset update channel
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 7 19:04:06 UTC 2018
#27551: Build HTTPS Everywhere with the SecureDrop custom ruleset update channel
--------------------------------------+--------------------
Reporter: legind | Owner: (none)
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+--------------------
Related: https://github.com/freedomofpress/securedrop/issues/3668,
https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-
update-channels.md, https://blog.torproject.org/cooking-onions-names-your-
onions
Blocked by: https://trac.torproject.org/projects/tor/ticket/10394
There has been some discussion on the SecureDrop issue tracker on the
possibility of FPF maintaining their own SecureDrop custom rulesets update
channel.
A "ruleset" is a strictly formatted XML file that defines how HTTPS
Everywhere issues redirects. HTTPS Everywhere comes bundled with
thousands of these rulesets that tell it how to secure sites. An "update
channel" is a new way for HTTPS Everywhere to have rulesets delivered to
the extension without publishing a new version of the extension itself.
Rulesets are periodically checked for on a publicly accessible, known URL
and verified via the WebCrypto API, see https://github.com/EFForg/https-
everywhere/blob/master/docs/en_US/ruleset-update-channels.md#update-
channel-format--logic for more info on how this works. Currently the Tor
Browser includes the `EFF (Full)` update channel. Requests to the update
channels to check for ruleset updates are made every 24 hours.
The idea here is for FPF to maintain its own update channel which forwards
URLs of the format `http://0.0.0.0/theintercept.com.securedrop` to the
onion URL for that SecureDrop instance. This gives a few distinct
advantages:
1. It allows easier discovery of SecureDrop sites
2. It allows FPF to quickly rotate keys in case of key compromise or
vulnerabilities, as has happened in the past with HeartBleed
(https://freedom.press/news/securedrop-and-the-openssl-vulnerability/)
3. If someone accesses a site of this format in Chrome browser, it will
not leak the DNS request. This provides no additional security in
Firefox, since Firefox already blocks DNS requests for the `.onion`
pseudo-TLD.
Understandably, Tor Browser may be wary of adding an additional update
channel, maintained by another entity, which has the arbitrary ability to
redirect URLs. That's why HTTPS Everywhere has added the concept of
`scope` to update channels. `scope` defines some regular expression for
URLs on which a ruleset update channel is allowed to operate. For
instance, in the case of SecureDrop, you can define the scope to be
`https?://0\.0\.0\.0/[^/]+\.securedrop($|/)` so that this update channel
only operate on URLs of the format given above.
This update channel would have to be added to HTTPS Everywhere for the Tor
Browser (in https://github.com/EFForg/https-
everywhere/blob/master/chromium/background-scripts/update_channels.js) at
build-time. Since all customizations are overwritten when the extension
is updated, this is also blocked by
https://trac.torproject.org/projects/tor/ticket/10394
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27551>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list