[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #8774 [EFF-HTTPS Everywhere]: Disable mixed content rulesets on FF 23+

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #8774 [EFF-HTTPS Everywhere]: Disable mixed content rulesets on FF 23+
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 18 Jul 2013 00:41:28 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 17 Jul 2013 20:41:41 -0400
In-reply-to: <043.44efbf8add298e444b2c6c5e245d19da@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.44efbf8add298e444b2c6c5e245d19da@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#8774: Disable mixed content rulesets on FF 23+
----------------------------------+-----------------------------------------
 Reporter:  pde                   |          Owner:  micahlee       
     Type:  defect                |         Status:  assigned       
 Priority:  critical              |      Milestone:  HTTPS-E 4.0dev8
Component:  EFF-HTTPS Everywhere  |        Version:                 
 Keywords:                        |         Parent:  #6975          
   Points:                        |   Actualpoints:                 
----------------------------------+-----------------------------------------
Changes (by micahlee):

  * status:  new => assigned
  * owner:  pde => micahlee


Comment:

 Ok, so me and Lisa have decided to try to cram to fix this bug and also
 #8776 in the next two weeks. We also want to try to mark far more rules
 that cause mixed content bugs as platform="mixedcontent".

 A quick scan of the current stable rules shows that:

 There are 3039 total stable rules
 There are 323 rules that are default_off
 2 of the default_off rules are marked mixed_content
 16 of the other 2716 rules are are marked mixed_content

 Yesterday me, Lisa, and Dan took a random sampling of 30 rules (a small
 set, I know, but we did it manually) and loaded the homepages of those
 rules in FF23. Ignoring the ones that were default_off (and the 2 that
 timed out because they were down) we found that:

 20% triggered the MCB
 80% worked fine

 Assuming that this is statistically accurate, we probably need to mark
 about 527 more rules as mixedcontent.

 mikeperry, I see your comment in #9196:

   Given that our only choices seem to be "disable a ton more rules than we
 should", "seriously degrade the user experience of HTTPS-Everywhere
 users", and "disable mixed content until it can be done right", I think
 the least invasive choice is the third one.

 I agree that there all these options kinda suck. I think disabling 20% of
 the rules might be worth it over disabling new security features that ship
 with Firefox.

 We also decided that disabling the MCB is still on the table if we run
 into trouble. If it turns out that we can't actually do all of this in
 time, or if it turns out that we have to disable significantly more rules
 than we though then we have code that's mostly ready (needs to work out
 some UI issues) to turn temporarily disable the MCB in Lisa's github repo:
 https://github.com/lisayao/HTTPS-Everywhere

 I'm also updating #9196 from turning off the MCB to marking rules as mixed
 content.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8774#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #9286 [Tor]: ordb1 uses milliseconds in its descriptor, spec says it can't
Next by Author: Re: [tor-bugs] #9196 [EFF-HTTPS Everywhere]: Find which rules trigger the FF23 mixed content blocker and mark them platform="mixedcontent" (was: Postpone Firefox mixed content blocking from FF 23 -> 24 (with user notice & control))
Previous by thread: Re: [tor-bugs] #8774 [EFF-HTTPS Everywhere]: Disable mixed content rulesets on FF 23+
Next by thread: Re: [tor-bugs] #8774 [EFF-HTTPS Everywhere]: Disable mixed content rulesets on FF 23+
Index(es):
- Author
- Thread