On 03/04/2014 08:16 PM, Paul Wise wrote: > I'm using https-finder. It often redirects me to https sites that > https-everywhere does not know about. I was thinking it would be a great > idea for https-finder to have the ability to submit domains that have > https on them over tor. Also it would be great if https-finder were > merged into https-everywhere.
We've gotten this suggestion a couple times before. Seth Schoen tells me that the HTTPS Finder rules are often buggy or incomplete, so it's better if humans look at them first and submit them to us (rather than have HTTPS Finder automatically submit everything that it finds). > The ruleset is updated quite often but the plugin doesn't necessarily > get updated on user's computers often, especially for example in Debian > stable. In order to work around this issue it would be great to ship a > snapshot of rules with the plugin as now but also allow the plugin to > download new rules on a regular basis over https with cert pinning in > place. As discussed previously, it would be great for us to decouple ruleset updates from extension updates so that we can ship ruleset updates more frequently (extension updates happen about once every two months). I'm open to the idea of shipping ruleset updates over HTTPS with certificate pinning (i.e., bundling the public key with the HTTPS Everywhere package) as soon as they get checked into git, but this would mean that ruleset updates are less secure than extension updates (since we sign extension updates with an offline private key in addition to serving them over HTTPS). (There's a good argument that ruleset security should be equivalent to extension security, since an attacker can submit a ruleset update that rewrites the extension update URL to a malicious one!) -Yan _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
