Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#10394: Torbrowser's updater updates HTTPS-everywhere
-------------------------------------------------+-------------------------
 Reporter:  StrangeCharm                         |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-security, https-everywhere,      |  Actual Points:
  TorBrowserTeam202006R                          |
Parent ID:                                       |         Points:
 Reviewer:  gk                                   |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  needs_information => needs_review
 * cc: yawning (removed)


Comment:

 Replying to [comment:45 rustybird]:
 > Replying to [comment:44 gk]:
 >
 > > Maybe we could include this patch as part of our "don't block our
 unsigned extensions" patch where HTTPS-Everywhere is the only extension
 left anyway. Would be easy to make this to an "treat https-e special"
 patch.
 >
 > If the [https://lists.torproject.org/pipermail/tbb-
 dev/2017-April/000530.html plan] still is to eventually disable NoScript
 updates too, then it might be simpler to keep the patch separate and later
 add a fixup checking for the NoScript ID as well. Just a thought.

 Yes, that's still the plan. I am not overly worried about NoScript having
 any impact here. Once we disable updates for NoScript we want to make a
 signature check exception for it, too, because we don't want to be
 affected again by Mozilla messing up their signing certificate renewal.
 So, this would fit into a single patch together with HTTPS-Everywhere
 being exempted and its updates disabled.

 What I *am* worried about is the additional review cost this move would
 imply because I think we should neither disable HTTPS-Everywhere's nor
 NoScript's update mechanism if we can't manage to track their releases and
 check whether those contain any new security issues or fixes for older
 ones.

 > > rustybird: have you checked whether the ruleset updates are unaffected
 by your patch
 >
 > Yes, they still work: There are connections to `www.https-
 rulesets.org:443` and `securedrop.org:443`. And when I start with an old
 HTTPS Everywhere version that includes an outdated ruleset, the `rulesets-
 timestamp` fields in `browser-extension-data/https-everywhere-
 eff@xxxxxxx/storage.js` show that those updates are applied.

 Great, thanks.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10394#comment:46>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs