Opened 3 years ago

Last modified 14 months ago

#19491 needs_information task

HTTPS-Everywhere vanished during update

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: https-everywhere
Cc: mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

https://blog.torproject.org/blog/tor-browser-601-released#comment-187621 has a concerning bug report. It says HTTPS-Everywhere has completely disappeared during the update. We should find out what happened and fix the problem.

Child Tickets

Change History (6)

comment:1 Changed 3 years ago by gk

Description: modified (diff)

comment:2 Changed 3 years ago by gk

I was under the impression the browser update itself is not touching HTTPS-Everywhere. Thus, maybe the update of the add-on itself caused this? The user can't rule out that. One thing that came to mind here is that our extension signing exception patch plays a role here. But I tested that quite thoroughly now again and did not come up with a scenario where this breaks and a Mozilla engineer contacted me too stating the patch does what we want. So, I am at a loss here.

While trying to figure out what goes wrong is one important thing maybe we can come up with ways to recover from this. Or better: find ways that it does not matter even if it happened under the current circumstances. One of the things we might do is just disabling the updates for HTTPS-E and ship it the same way as we ship Torbutton etc. The updates are not that often and that would have other benefits at well. It is hard to tell, though, if that would help not knowing the reason for the vanishing HTTPS-E. On the other hand there is no report yet from a missing Torbutton, so maybe it would? :)

comment:3 in reply to:  2 Changed 3 years ago by mcs

Replying to gk:

I was under the impression the browser update itself is not touching HTTPS-Everywhere.

Our incremental updates replace HTTPS-E (and NoScript) if the extension version number changes between Tor Browser releases. But if it does not change, the incremental MAR should not contain any HTTPS-E files and therefore the version the user had at the time of the update should not be touched.

I do not think there was a change to HTTPS-E between 6.0.1 and 6.0.2. I double checked that the win32 6.0.1 -> 6.0.2 incremental MAR files do not contain any references to HTTPS-E files (the only things under TorBrowser/Data/Browser/profile.default/extensions that are touched are the torbutton .xpi and the language pack).

I also failed to reproduce this problem with a TB 5.5.5 -> 6.0.2 update. It seems there must be something different about the user's setup that makes this not reproducible for us.

comment:4 Changed 3 years ago by gk

Here is another report (https://blog.torproject.org/blog/tor-browser-603-released#comment-196593) this time the issue happened with the updated HTTPS-Everywhere we shipped with 6.0.3.

comment:5 Changed 3 years ago by gk

Interesting that we have #18375 which is from a time before the signing requirement started. Might be related?

comment:6 Changed 14 months ago by traumschule

Keywords: https-everywhere added
Status: newneeds_information

is this still an issue?

Note: See TracTickets for help on using tickets.