Opened 5 years ago

Closed 5 years ago

#9868 closed enhancement (fixed)

Stop bundling rulesets with extension, download separately instead (like ABP)

Reported by: micahlee Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: schoen, pde, zyan Actual Points:
Parent ID: #9769 Points:
Reviewer: Sponsor:

Description

Right now HTTPS Everywhere is bundled with a the file src/chrome/content/rules/default.rulesets (~3.2mb), which is a a concatenated list of all the xml ruleset files.

Instead we should act more like Adblock Plus, where the extension downloads the ruleset list on first install, and then regularly checks for updates. This is a prerequisite to #9769, so that we'll be able to release ruleset fixes without going through Mozilla's extension update approval process.

Right now we use an air-gapped signing machine to sign xpi and crx packages. I think we should use this same key to sign ruleset updates, which would probably mean some sort of signature verification in javascript.

There's also the question of where to host the ruleset updates. Right now the xpi file is hosted at https://www.eff.org/, but we're setting up a new server for #7075 to receive buggy ruleset reports. Would it make sense to use that server instead? There are privacy issues with making browsers load from an HTTPS-E specific domain name (ruleset updates can be censored), but I think it would be cleaner from a network architecture perspective, especially since EFF's website traffic is a different beast from HTTPS Everywhere update traffic.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by micahlee

Here's how I'm thinking of implementing this.

I will add a new pref called extensions.https_everywhere.rulesets_updated_ts that contains the timestamp of the last ruleset update, defaulting to 0.

I'll define a function an update_rulesets function with an optional force argument. If it's been either 24 hours since an update or force is true, it will:

  • Download the new default.rulesets file
  • Download the detached sig, default.rulesets.sig
  • Verify if the sig
  • If the sig checks out, save default.rulesets to disk and load it into memory

I'll run the update_rulesets function when HTTPS Everywhere initializes, and also set it to run every 24 hours. If there's no default_rulesets file on disk I'll run it with force set to true.

I also want to build some more UI around this. The UI should say the last date that the rulesets were updated with a button to force an update now. This could either be in the current "Enable / Disable Rules" dialog, or in a more generic HTTPS Everywhere preferences dialog that doesn't exist yet.

comment:2 Changed 5 years ago by micahlee

Cc: zyan added

comment:3 Changed 5 years ago by zyan

Resolution: fixed
Status: newclosed

Closing as a duplicate of #2161.

Note: See TracTickets for help on using tickets.