Stop bundling rulesets with extension, download separately instead (like ABP)
Right now HTTPS Everywhere is bundled with a the file src/chrome/content/rules/default.rulesets (~3.2mb), which is a a concatenated list of all the xml ruleset files.
Instead we should act more like Adblock Plus, where the extension downloads the ruleset list on first install, and then regularly checks for updates. This is a prerequisite to #9769 (moved), so that we'll be able to release ruleset fixes without going through Mozilla's extension update approval process.
Right now we use an air-gapped signing machine to sign xpi and crx packages. I think we should use this same key to sign ruleset updates, which would probably mean some sort of signature verification in javascript.
There's also the question of where to host the ruleset updates. Right now the xpi file is hosted at https://www.eff.org/, but we're setting up a new server for #7075 (moved) to receive buggy ruleset reports. Would it make sense to use that server instead? There are privacy issues with making browsers load from an HTTPS-E specific domain name (ruleset updates can be censored), but I think it would be cleaner from a network architecture perspective, especially since EFF's website traffic is a different beast from HTTPS Everywhere update traffic.