Opened 10 months ago

Last modified 10 months ago

#27551 new enhancement

Build HTTPS Everywhere with the SecureDrop custom ruleset update channel

Reported by: legind Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-rbm
Cc: gk, arthuredelstein, mcs, asn Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Related: https://github.com/freedomofpress/securedrop/issues/3668, https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md, https://blog.torproject.org/cooking-onions-names-your-onions

Blocked by: https://trac.torproject.org/projects/tor/ticket/10394

There has been some discussion on the SecureDrop issue tracker on the possibility of FPF maintaining their own SecureDrop custom rulesets update channel.

A "ruleset" is a strictly formatted XML file that defines how HTTPS Everywhere issues redirects. HTTPS Everywhere comes bundled with thousands of these rulesets that tell it how to secure sites. An "update channel" is a new way for HTTPS Everywhere to have rulesets delivered to the extension without publishing a new version of the extension itself. Rulesets are periodically checked for on a publicly accessible, known URL and verified via the WebCrypto API, see https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md#update-channel-format--logic for more info on how this works. Currently the Tor Browser includes the EFF (Full) update channel. Requests to the update channels to check for ruleset updates are made every 24 hours.

The idea here is for FPF to maintain its own update channel which forwards URLs of the format http://0.0.0.0/theintercept.com.securedrop to the onion URL for that SecureDrop instance. This gives a few distinct advantages:

  1. It allows easier discovery of SecureDrop sites
  2. It allows FPF to quickly rotate keys in case of key compromise or vulnerabilities, as has happened in the past with HeartBleed (https://freedom.press/news/securedrop-and-the-openssl-vulnerability/)
  3. If someone accesses a site of this format in Chrome browser, it will not leak the DNS request. This provides no additional security in Firefox, since Firefox already blocks DNS requests for the .onion pseudo-TLD.

Understandably, Tor Browser may be wary of adding an additional update channel, maintained by another entity, which has the arbitrary ability to redirect URLs. That's why HTTPS Everywhere has added the concept of scope to update channels. scope defines some regular expression for URLs on which a ruleset update channel is allowed to operate. For instance, in the case of SecureDrop, you can define the scope to be https?://0\.0\.0\.0/[^/]+\.securedrop($|/) so that this update channel only operate on URLs of the format given above.

This update channel would have to be added to HTTPS Everywhere for the Tor Browser (in https://github.com/EFForg/https-everywhere/blob/master/chromium/background-scripts/update_channels.js) at build-time. Since all customizations are overwritten when the extension is updated, this is also blocked by https://trac.torproject.org/projects/tor/ticket/10394

Child Tickets

Change History (3)

comment:1 Changed 10 months ago by gk

Component: - Select a componentApplications/Tor Browser
Keywords: tbb-rbm added
Owner: set to tbb-team

comment:2 in reply to:  description Changed 10 months ago by arma

Replying to legind:

Understandably, Tor Browser may be wary of adding an additional update channel, maintained by another entity, which has the arbitrary ability to redirect URLs. That's why HTTPS Everywhere has added the concept of scope to update channels.

Woo -- thanks for thinking ahead to the obvious concern, and doing something about it. :)

comment:3 Changed 10 months ago by legind

Cc: asn added

@asn also relevant to your interests. There will be a session on this at Tor Meeting, which relates to your UX of onion names session.

Note: See TracTickets for help on using tickets.