Re: [tor-dev] [HTTPS-Everywhere] GSoC report - Zack Mullaly - HTTPS Everywhere secure ruleset update mechanism
(Trying again with my tp.o email address)
On 06/15/2014 02:05 PM, Yan Zhu wrote:
It's unclear whether this message went through to tor-dev (can't find it in the archives), but I've added this update to https://trac.torproject.org/projects/tor/wiki/doc/gsoc.
On 06/13/2014 05:06 PM, Red wrote:
Hello, everyone! I apologize for the fact that this is coming in late, but here is a summary of my progress and plans thus far in developing a secure ruleset update mechanism for the HTTPS Everywhere browser extension.
The specification document detailing how the ruleset updater will function has been perhaps the greatest focus for me until now. The document is currently hosted on Github as a gist[1], and currently details the format for the JSON document the extension will fetch to determine whether the update information it receives is authentic and relevant.
A second task I have been working on is the creation of a utility[2] used to automate much of the process of building the update.json file contents outlined by [1]. A lot of the work done here so far has been experimental, but it is already providing some utility for composing data that can be used for testing purposes.
The third thing I have been working on is the actual implementation of the ruleset updater[3]. There are to be some changes to the spec that will be reflected in this code in the coming week, but the implementation so far is very close to being ready to test.
In the last week, a lot of discussion has occurred centered around improving the specification for the ruleset update mechanism and how the update.json file and signing thereof should function and be written. I have posted my weekly meeting notes to another gist[4] which I will from today onwards be keeping up to date with my weekly notes so that they will be publicly available and well-formatted. In summary, my upcoming work will involve updating the update.json spec to reflect the discussion being had on the https-everywhere mailing list and between myself and my mentor, Yan. I will then focus on updating the extension code as well as the utility I have been working on to reflect the changes to the spec. I will then move on to testing the signature verification method locally by creating example documents and a Python script to verify the signature. I will also be setting up a testing environment to properly test my work on the ruleset update mechanism.
My work can be more closely followed on Github- specifically, my fork of the official HTTPS-Everywhere repository[5]. The code I have been working on resides in my "makeJSONManifest" and "rulesetUpdating" branches. You can also follow the discussion on the https-everywhere mailing list, and are welcome to join in mine and Yan's weekly meetings in #https-everywhere on irc.oftc.net at 11:00AM Pacific Time on Fridays. We're happy to have people chime in with ideas, and commentary in IRC, the mailing list, and on Github is welcome!
HTTPS-Everywhere mailing list HTTPS-Everywhere@lists.eff.org https://lists.eff.org/mailman/listinfo/https-everywhere
-
Yan Zhu