Alexander FærøyHTTPS-everywhere update
-
Session is suddenly about onion names through HTTPS-Everywhere
-
"Update channels" new feature
- HTTPS-everywhere has update chanels because releasing extensions is a PITA
- EFF has its own channel already in TB
- scope of channel. you can limit the ability of HTTPS-everywhere to rewrite only certain regexps (e.g. only "onions")
- https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md
-
Is this begging for a web of trust system?
-
HTTPS-everywhere is willing to support this use case and add features/UX etc.
-
Potential UX Problems from securedrop:
- Update channel UX though their website would not work for securedrop
- Rewriting from .tor to huge .onion will confuse securedrop sources
- Can we do UX work to improve the user confusion that could happen here?
- Same as onion-location issue
- Fear of new pseudo-tld leakage in normal browsers if we use .tor or something.
-
Are there securedrop instances that dont have a normal DNS name?
- Most securedrop organizations have normal DNS name.
-
What about multiple rulesets specifying conflicting .tor names?
- HTTPS-everywhere uses the first ruleset that it can find
- We can improve this
-
URL scoped based on what the list is:
- securedrop.alecmuffett.tor
- securedrop.reddit.tor
-
How to avoid URL leakage from browsers?
- Securedrop and others are really worrying about this.
- Do we do securedrop.tor or securedrop.tor.onion ? Or securedrop.local?
- Can we ask browsers to also reserve .tor? How long will it take?