Hello again everyone, I am here once again to report my progress in building a secure ruleset updating mechanism for the HTTPS Everywhere browser extension. This past week's work has involved a lot of updates to the specification for the mechanism[1], and changing a lot of what I had done before to keep up with all of the changes. With regards to the documentation, a great deal of the changes being discussed about the order that tests of authenticity of the update information as well as its relevant have been finalized. There is now a "Pseudocode of the update procedure" section that outlines this order that tests are performed and also gives an idea of what data the mechanism requires, where it's obtained from, and how it changes that data. I have also added extensively to the "update.json and update.json.sig" section to outline everything anyone should need to know from generating update.json to getting a properly-encoded signature of the digest of update.json that can be verified by the extension. The document is now also included as part of the repository so that pull requests and better commenting can be made. I have also been making a lot of improvements to the utility script used for building the content of update.json[2]. The script has been completely revamped to work in accordance with the modified spec. I have also included a few sanity checks to verify that the content provided for update.json make sense, and made it very easy to write more such checks. I spent most of today getting the actual ruleset updater module[3][4] code up to date. The code now reflects the changes to the new standard and has been simplified dramatically. As usual, I have my meeting notes available as a Gist[5]. The notes from the meeting I had today with Yan are already present. My plans for the coming week are to set up a testing environment and begin making sure everything works as expected. I will also begin the discussion about how the extension should handle error reporting- what to do when authenticity tests fail, or the extension can't fetch the update information. Please feel free to take advantage of the update spec being part of the repository now to discuss the details and/or propose changes in the form of a pull request. Either this or the https-everywhere mailing list are also great places to get in touch with myself and everyone who has been involved in my work. Cheers, Zack [1] : https://github.com/redwire/https-everywhere/blob/makeJSONManifest/doc/updateJSONSpec.md [2] : https://github.com/redwire/https-everywhere/blob/makeJSONManifest/utils/ruleset_update_manifest.py [3] : https://github.com/redwire/https-everywhere/blob/rulesetUpdating/src/chrome/content/code/rulesetUpdate.js [4] : https://github.com/redwire/https-everywhere/commit/1a0d5edb8572180854ad620ff2b9f2f5a9cba483 [5] : https://gist.github.com/redwire/b62f03905a826e79947a#week-6
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev