|
|
HTTPS-everywhere update
|
|
|
|
|
|
- Session is suddenly about onion names through HTTPS-Everywhere
|
|
|
|
|
|
- "Update channels" new feature
|
|
|
- HTTPS-everywhere has update chanels because releasing extensions is a PITA
|
|
|
- EFF has its own channel already in TB
|
|
|
- scope of channel. you can limit the ability of HTTPS-everywhere to rewrite only certain regexps (e.g. only "onions")
|
|
|
- https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md
|
|
|
|
|
|
- Is this begging for a web of trust system?
|
|
|
|
|
|
- HTTPS-everywhere is willing to support this use case and add features/UX etc.
|
|
|
|
|
|
- Potential UX Problems from securedrop:
|
|
|
- Update channel UX though their website would not work for securedrop
|
|
|
- Rewriting from .tor to huge .onion will confuse securedrop sources
|
|
|
- Can we do UX work to improve the user confusion that could happen here?
|
|
|
- Same as onion-location issue
|
|
|
- Fear of new pseudo-tld leakage in normal browsers if we use .tor or something.
|
|
|
|
|
|
- Are there securedrop instances that dont have a normal DNS name?
|
|
|
- Most securedrop organizations have normal DNS name.
|
|
|
|
|
|
- What about multiple rulesets specifying conflicting .tor names?
|
|
|
- HTTPS-everywhere uses the first ruleset that it can find
|
|
|
- We can improve this
|
|
|
|
|
|
- URL scoped based on what the list is:
|
|
|
- securedrop.alecmuffett.tor
|
|
|
- securedrop.reddit.tor
|
|
|
|
|
|
- How to avoid URL leakage from browsers?
|
|
|
- Securedrop and others are really worrying about this.
|
|
|
- Do we do securedrop.tor or securedrop.tor.onion ? Or securedrop.local?
|
|
|
- Can we ask browsers to also reserve .tor? How long will it take?
|
|
|
|