Changes between Initial Version and Version 1 of org/meetings/2018MexicoCity/Notes/HTTPSEverywhereNotes


Ignore:
Timestamp:
Oct 1, 2018, 4:23:25 PM (6 months ago)
Author:
asn
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • org/meetings/2018MexicoCity/Notes/HTTPSEverywhereNotes

    v1 v1  
     1HTTPS-everywhere update
     2
     3- Session is suddenly about onion names through HTTPS-Everywhere
     4
     5- "Update channels" new feature
     6  - HTTPS-everywhere has update chanels because releasing extensions is a PITA
     7  - EFF has its own channel already in TB
     8  - scope of channel. you can limit the ability of HTTPS-everywhere to rewrite only certain regexps (e.g. only "onions")
     9  - https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md
     10
     11- Is this begging for a web of trust system?
     12
     13- HTTPS-everywhere is willing to support this use case and add features/UX etc.
     14
     15- Potential UX Problems from securedrop:
     16  - Update channel UX though their website would not work for securedrop
     17  - Rewriting from .tor to huge .onion will confuse securedrop sources
     18    - Can we do UX work to improve the user confusion that could happen here?
     19    - Same as onion-location issue
     20  - Fear of new pseudo-tld leakage in normal browsers if we use .tor or something.
     21
     22- Are there securedrop instances that dont have a normal DNS name?
     23  - Most securedrop organizations have normal DNS name.
     24
     25- What about multiple rulesets specifying conflicting .tor names?
     26  - HTTPS-everywhere uses the first ruleset that it can find
     27  - We can improve this
     28
     29- URL scoped based on what the list is:
     30  - securedrop.alecmuffett.tor
     31  - securedrop.reddit.tor
     32
     33- How to avoid URL leakage from browsers?
     34  - Securedrop and others are really worrying about this.
     35  - Do we do securedrop.tor or securedrop.tor.onion ? Or securedrop.local?
     36  - Can we ask browsers to also reserve .tor? How long will it take?
     37