[tor-dev] [HTTPS-Everywhere] GSoC report - Zack Mullaly - HTTPS Everywhere secure ruleset update mechanism

Sun Jun 15 21:09:01 UTC 2014

(Trying again with my tp.o email address)

On 06/15/2014 02:05 PM, Yan Zhu wrote:
> It's unclear whether this message went through to tor-dev (can't find it
> in the archives), but I've added this update to
> https://trac.torproject.org/projects/tor/wiki/doc/gsoc.
> 
> On 06/13/2014 05:06 PM, Red wrote:
>> Hello, everyone!
>> I apologize for the fact that this is coming in late, but here is a
>> summary of my progress and plans thus far in developing a secure ruleset
>> update mechanism for the HTTPS Everywhere browser extension.
>>
>> The specification document detailing how the ruleset updater will
>> function has been perhaps the greatest focus for me until now. The
>> document is currently hosted on Github as a gist[1], and currently
>> details the format for the JSON document the extension will fetch to
>> determine whether the update information it receives is authentic and
>> relevant.
>>
>> A second task I have been working on is the creation of a utility[2]
>> used to automate much of the process of building the update.json file
>> contents outlined by [1]. A lot of the work done here so far has been
>> experimental, but it is already providing some utility for composing
>> data that can be used for testing purposes.
>>
>> The third thing I have been working on is the actual implementation of
>> the ruleset updater[3].  There are to be some changes to the spec that
>> will be reflected in this code in the coming week, but the
>> implementation so far is very close to being ready to test.
>>
>> In the last week, a lot of discussion has occurred centered around
>> improving the specification for the ruleset update mechanism and how the
>> update.json file and signing thereof should function and be written.  I
>> have posted my weekly meeting notes to another gist[4] which I will from
>> today onwards be keeping up to date with my weekly notes so that they
>> will be publicly available and well-formatted.  In summary, my upcoming
>> work will involve updating the update.json spec to reflect the
>> discussion being had on the https-everywhere mailing list and between
>> myself and my mentor, Yan.  I will then focus on updating the extension
>> code as well as the utility I have been working on to reflect the
>> changes to the spec.  I will then move on to testing the signature
>> verification method locally by creating example documents and a Python
>> script to verify the signature.  I will also be setting up a testing
>> environment to properly test my work on the ruleset update mechanism.
>>
>> My work can be more closely followed on Github- specifically, my fork of
>> the official HTTPS-Everywhere repository[5].  The code I have been
>> working on resides in my "makeJSONManifest" and "rulesetUpdating"
>> branches.  You can also follow the discussion on the https-everywhere
>> mailing list, and are welcome to join in mine and Yan's weekly meetings
>> in #https-everywhere on irc.oftc.net at 11:00AM Pacific Time on
>> Fridays.  We're happy to have people chime in with ideas, and commentary
>> in IRC, the mailing list, and on Github is welcome!
>>
>> [1]: https://gist.github.com/redwire/2e1d8377ea58e43edb40
>> [2]:
>> https://github.com/redwire/https-everywhere/blob/makeJSONManifest/utils/ruleset_update_manifest.py
>> [3]:
>> https://github.com/redwire/https-everywhere/blob/rulesetUpdating/src/chrome/content/code/rulesetUpdate.js
>> [4]: https://gist.github.com/redwire/b62f03905a826e79947a
>> [5]: https://github.com/redwire/https-everywhere
>>
>>
>>
>> _______________________________________________
>> HTTPS-Everywhere mailing list
>> HTTPS-Everywhere at lists.eff.org
>> https://lists.eff.org/mailman/listinfo/https-everywhere
>>
> 
> 


-- 
Yan Zhu  <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation                  https://www.eff.org
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x134