-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 01/13/2014 07:14 AM, Drake, Brian wrote: > Yay! > > At the risk of being annoying, with all my recent messages about > the FAQ, this one might need updating soon: > > “Q. Why isn't HTTPS Everywhere available for download from > addons.mozilla.org <http://addons.mozilla.org> like most other > Firefox add-ons?” BTW, I really appreciate all these updates to the FAQ. We need to get our docs in shape! :) Will update when I'm back from travel. In the meantime, feel free to keep pointing them out. > > It would also be interesting to know what the reason is for this > change. I think I’ve seen discussion about this issue, but nothing > that indicated that this change would actually be made. > There's a ticket for it: https://trac.torproject.org/projects/tor/ticket/9769. Note that none of the security issues raised in that thread were actually resolved. On the contrary, Mozilla has told me that there's no way for us to sign our own extension and have it verified by users if they download it from the addons store. This is sad, because it's less protection than the Chrome web store offers (we sign the extension and updates with a key on an airgapped machine, and Chrome refuses to accept updates that are not signed with this key; the hash of the public key is actually in the URL of the extension in the Chrome Web Store). It worries me that HTTPS Everywhere in AMO is therefore only as secure as the login credentials to our AMO account + review process by Mozilla folks. :/ On the other hand, pde and I decided it would be okay to put it in the Mozilla addons store in addition to hosting it from eff.org (where most users will continue to download it, probably) if we included a note on both pages about why eff.org is the more secure and privacy-respecting distribution channel of the two for HTTPS Everywhere. - -Yan > > -- Brian Drake > > All content created by me: Copyright > <http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html> © > 2014 Brian Drake. All rights reserved. > > On Mon, Jan 13, 2014 at 1438 (UTC), Yan Zhu <[email protected] > <mailto:[email protected]>> wrote: > > > > On 01/13/2014 06:00 AM, Drake, Brian wrote: >> I don’t really know anything about Chrome and Opera add-ons, but >> I am surprised to see something about a “Mozilla addon store” >> being updated. This add-on is not on https://addons.mozilla.org/ >> and I don’t know what else it could be referring to. > > > It's not on the Mozilla store yet, but I was planning to put it > there as of this release. This is blocking on Mozilla fixing a bug > where HTTPS Everywhere won't upload to the store because Mozilla > thinks that it's there already for some reason (ugh). > > -Yan > >> -- Brian Drake > >> All content created by me: Copyright >> <http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html> © >> 2014 Brian Drake. All rights reserved. > >> On Sat, Jan 4, 2014 at 0149 [WST (UTC+8)], Yan Zhu <[email protected] > <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: > >> HTTPS Everywhere 3.4.5 has been released: > >> https://www.eff.org/files/https-everywhere-3.4.5.xpi > >> - From the Changelog: > >> 3.4.5 * Updated license * Updated README.md * Updated >> contributors list * Fix a performance bug when re-enabling >> HTTPS-Everywhere from its menu * Observatory cert whitelist >> update * Updated rules: Atlassian, Brightcove, MIT, Pidgin, >> Microsoft, Whonix, Skanetrafiken, Stack-Exchange, >> Stack-Exchange-mixedcontent > > > >> HTTPS Everywhere for Chrome 2014.1.3 has been released: > >> https://www.eff.org/files/https-everywhere-chrome-2014.1.3.crx > >> - From the Changelog: > >> chrome-2014.1.3 * Various ruleset fixes * Various performance >> improvements, thanks to Nick Semenkovich and Jacob >> Hoffman-Andrews! * Add LRU caching for rules * Refactor out >> unused code * Reload page when rule is disabled * Upgrade URI.js >> * Add fi translation > > >> (The Chrome, Opera, and Mozilla addon stores have not yet been >> updated with these releases but will be soon!) > >> -Yan > > > > > - -- Yan Zhu [email protected] Technologist Tel +1 415 436 9333 x134 Electronic Frontier Foundation Fax +1 415 436 9993 -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJS1L1xAAoJENC7YDZD/dnsLSMIAJJgU47Vut9sJsuvOSuvNR0J NksAJGlvEKTxSX2pII/uE9HDYPcBeWn8dlh21NWmRA9pHqwS/wsUPPADA2J2mMoQ EVS4UVhUt+4G/yAc1ovuVPI/7FgQ7zaAQRIqmOmKZXMZeY3uAAHbJ4KNm644XvVK I+kh+RBntb1hqvjhc47HU9qWWVBy+g6ZaHOuvl315CGI/KvsW7QmyvFnOTl9GX1K fMPxrmSBXq5NqTLH4ea/72m4SfA7mpZIGNrHao5blg3MxeLiWlyh0VjwJjgFMX/l A0Wu+ySPyj7xdnaCgt6MQnGfF3y7zF7vwPLV9QpsFfcZqMiKsb06Z5qDdBVg2+c= =Gwqg -----END PGP SIGNATURE----- _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
