[tor-dev] [GSoC] HTTPS Everywhere Secure Ruleset Updater Report

Red redwire at riseup.net
Fri Aug 1 23:19:27 UTC 2014

Hello everyone!
Sorry about the fact that I haven't made a report in a few weeks. It's
been a busy time for me. With that said, I have been getting quite a bit
of work done on my project to build a secure ruleset updating mechanism
for the HTTPS Everywhere Firefox browser extension.
In my last report, I talked about the fact that I had been struggling
with finding an appropriate solution to the problem of generating an
appropriate signature on (the digest of) the update information provided
by an update.json file. The problem was brought to some other core
developers and it was decided that we would use an existing tool
included in recent versions of the NSS tools.
Since then, I have been working to integrate my updater into the
existing HTTPS Everywhere codebase, which had involved quite a bit of
refactoring. I have succeeded in getting the mechanism functional in the
extension and have also taken care of keeping the master branch I was
working off of up to date. This means that my feature will be able to be
pulled into the newly released HTTPS Everywhere 5.0 development release
as soon as it's been even more thoroughly tested!
I am once again having an issue with signature verification. My mentor,
Yan, had found a method of (as described above) using NSS tools to
generate a signature that the Mozilla XPCOM component designed to do so
could understand and verify. I have not been able to successfully repeat
this process in a way that produces a signature that my ruleset updating
mechanism has been able to verify the authenticity of the signature
The good news is that once this issue is resolved, the feature should be
working just right and all that will remain will be to:
1. Add some elements to the UI to configure the updater.
2. Reset some preferences that were provided defaults for testing purposes.
3. Add another simple test to the ruleset update authenticity check to
verify that the source URL is an EFF domain.
I don't anticipate that these will be difficult changes at all.

You can follow my progress by watching my fork of the repository on
github and keeping an eye on the branch I am developing:
As always, constructive feedback and ideas are always welcome!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 341 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140801/fa6eec89/attachment-0001.sig>

More information about the tor-dev mailing list