Build HTTPS Everywhere with the SecureDrop custom ruleset update channel
Related: https://github.com/freedomofpress/securedrop/issues/3668, https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md, https://blog.torproject.org/cooking-onions-names-your-onions
Blocked by: https://trac.torproject.org/projects/tor/ticket/10394
There has been some discussion on the SecureDrop issue tracker on the possibility of FPF maintaining their own SecureDrop custom rulesets update channel.
A "ruleset" is a strictly formatted XML file that defines how HTTPS Everywhere issues redirects. HTTPS Everywhere comes bundled with thousands of these rulesets that tell it how to secure sites. An "update channel" is a new way for HTTPS Everywhere to have rulesets delivered to the extension without publishing a new version of the extension itself. Rulesets are periodically checked for on a publicly accessible, known URL and verified via the WebCrypto API, see https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md#update-channel-format--logic for more info on how this works. Currently the Tor Browser includes the EFF (Full)
update channel. Requests to the update channels to check for ruleset updates are made every 24 hours.
The idea here is for FPF to maintain its own update channel which forwards URLs of the format http://0.0.0.0/theintercept.com.securedrop
to the onion URL for that SecureDrop instance. This gives a few distinct advantages:
- It allows easier discovery of SecureDrop sites
- It allows FPF to quickly rotate keys in case of key compromise or vulnerabilities, as has happened in the past with HeartBleed (https://freedom.press/news/securedrop-and-the-openssl-vulnerability/)
- If someone accesses a site of this format in Chrome browser, it will not leak the DNS request. This provides no additional security in Firefox, since Firefox already blocks DNS requests for the
.onion
pseudo-TLD.
Understandably, Tor Browser may be wary of adding an additional update channel, maintained by another entity, which has the arbitrary ability to redirect URLs. That's why HTTPS Everywhere has added the concept of scope
to update channels. scope
defines some regular expression for URLs on which a ruleset update channel is allowed to operate. For instance, in the case of SecureDrop, you can define the scope to be https?://0\.0\.0\.0/[^/]+\.securedrop($|/)
so that this update channel only operate on URLs of the format given above.
This update channel would have to be added to HTTPS Everywhere for the Tor Browser (in https://github.com/EFForg/https-everywhere/blob/master/chromium/background-scripts/update_channels.js) at build-time. Since all customizations are overwritten when the extension is updated, this is also blocked by https://trac.torproject.org/projects/tor/ticket/10394