HTTPS-everywhere update

  • Session is suddenly about onion names through HTTPS-Everywhere
  • Is this begging for a web of trust system?
  • HTTPS-everywhere is willing to support this use case and add features/UX etc.
  • Potential UX Problems from securedrop:
    • Update channel UX though their website would not work for securedrop
    • Rewriting from .tor to huge .onion will confuse securedrop sources
      • Can we do UX work to improve the user confusion that could happen here?
      • Same as onion-location issue
    • Fear of new pseudo-tld leakage in normal browsers if we use .tor or something.
  • Are there securedrop instances that dont have a normal DNS name?
    • Most securedrop organizations have normal DNS name.
  • What about multiple rulesets specifying conflicting .tor names?
    • HTTPS-everywhere uses the first ruleset that it can find
    • We can improve this
  • URL scoped based on what the list is:
    • securedrop.alecmuffett.tor
    • securedrop.reddit.tor
  • How to avoid URL leakage from browsers?
    • Securedrop and others are really worrying about this.
    • Do we do securedrop.tor or securedrop.tor.onion ? Or securedrop.local?
    • Can we ask browsers to also reserve .tor? How long will it take?
Last modified 2 years ago Last modified on Oct 1, 2018, 4:23:25 PM