#10394: Torbrowser's updater updates HTTPS-everywhere -------------------------------------------------+------------------------- Reporter: StrangeCharm | Owner: tbb- | team Type: task | Status: | needs_review Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-security, https-everywhere, | Actual Points: TorBrowserTeam202006R | Parent ID: | Points: Reviewer: gk | Sponsor: -------------------------------------------------+------------------------- Changes (by gk):
* status: needs_information => needs_review * cc: yawning (removed) Comment: Replying to [comment:45 rustybird]: > Replying to [comment:44 gk]: > > > Maybe we could include this patch as part of our "don't block our unsigned extensions" patch where HTTPS-Everywhere is the only extension left anyway. Would be easy to make this to an "treat https-e special" patch. > > If the [https://lists.torproject.org/pipermail/tbb- dev/2017-April/000530.html plan] still is to eventually disable NoScript updates too, then it might be simpler to keep the patch separate and later add a fixup checking for the NoScript ID as well. Just a thought. Yes, that's still the plan. I am not overly worried about NoScript having any impact here. Once we disable updates for NoScript we want to make a signature check exception for it, too, because we don't want to be affected again by Mozilla messing up their signing certificate renewal. So, this would fit into a single patch together with HTTPS-Everywhere being exempted and its updates disabled. What I *am* worried about is the additional review cost this move would imply because I think we should neither disable HTTPS-Everywhere's nor NoScript's update mechanism if we can't manage to track their releases and check whether those contain any new security issues or fixes for older ones. > > rustybird: have you checked whether the ruleset updates are unaffected by your patch > > Yes, they still work: There are connections to `www.https- rulesets.org:443` and `securedrop.org:443`. And when I start with an old HTTPS Everywhere version that includes an outdated ruleset, the `rulesets- timestamp` fields in `browser-extension-data/https-everywhere- e...@eff.org/storage.js` show that those updates are applied. Great, thanks. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10394#comment:46> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs