[tor-dev] [HTTPS-Everywhere] [GSoC] HTTPS Everywhere secure ruleset update mechanism update
yan at torproject.org
Tue Jul 8 10:47:31 UTC 2014
(resending to tor-dev with tp.o email address)
On 07/08/2014 03:42 AM, Yan Zhu wrote:
> On 07/08/2014 12:07 AM, Jeroen Massar wrote:
>> On 2014-07-07 20:40, Red wrote:
>> [.. lots of cool work being worked on ..]
>> Hi Zack,
>> Seems you are doing lots of cool stuff ;)
>> But I am one of those strange people who really hate it that every
>> separate tool has their own updater (which can be used for tracking a
>> user, as the set of updater tools polling servers makes a fingerprint in
>> the same way other flows make a fingerprint).
> Hi Jeroen,
> This makes a lot of sense. I'm aware of the fingerprintability concern,
> and EFF tech projects generally try to mitigate it by polling the update
> servers at randomized intervals over fresh Tor circuits if possible. For
> this project, we initially proposed polling for an update when the
> browser starts and every 3 hours plus some random, evenly-distributed
> number of milliseconds between 0 and 300000. I'm curious if others have
> more refined suggestions!
>> And thus I run Little Snitch and block those updates. Till I deem it a
>> good time for the update to be done and trigger it manually.
>> As such, when you get to the stage of adding features, it would be good
>> if there was:
>> - an option to disable the auto fetching
> Yes, this would be fairly easy to add.
>> - an option to trigger the fetching
> Probably also easy.
>> - to feed the update mechanism with a pre-fetched file
>> (eg provided through a different update mechanism)
> Since the update mechanism is just an XHR that downloads a new ruleset
> library from a hardcoded static URL and replaces the existing one in the
> Firefox profile directory, you could fetch-and-replace this manually via
> any number of mechanisms. :)
> Also, the ruleset libraries will still ship with extension updates, so
> you could disable ruleset updates and just wait for the next HTTPS
> Everywhere release.
>> tor-dev mailing list
>> tor-dev at lists.torproject.org
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
Yan Zhu <yan at eff.org>, <yan at torproject.org>
Electronic Frontier Foundation https://www.eff.org
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
More information about the tor-dev