Discussion about out-of-band ruleset updates #12606
Comments
|
I am not sure why do you ask to not update rulesets outside of extension update mechanism. The current update mechanism is secure enough to not be the weakest link. The weakest link is the browser extension update mechanism, since Chrome uses SHA-1 and Firefox uses both SHA-1 and MD5 (!!!) for extension update verification, while we use SHA-256. I guess this may be closed. Thanks for letting others hear your opinion though. |
|
uBlock Origin and Privacy Badger both update their data out of the band, I am not sure if anyone sees this as a problem. Maybe the extension "phoning home" may be a concern, but that can be fixed by out of band updates being optional, regular extension updates still including the default ruleset library. This "phoning home" is also not a concern for Tor Browser users since Tor anonymizes the update downloading. |
|
@koops76 My concerns aren't about the crypto, it's about the surrounding user and maintainer experience. You can read through EFForg/privacybadger#1466 to get an idea of what I mean. In any case I would specifically like to hear from the EFF why they are doing this so I understand the motivation. |
|
@jeremyn, I know you are mainly waiting about the EFF answer but if I may chime in: I understand and I agree with your concerns. On the other hand, separating the rulesets updates from the core updates has several upsides in my opinion, which would still make this change a positive move for our users. Right now, when a ruleset fix is pushed on
In short, I think this could be a net gain depending on how frequent the rulesets updates would be. So I guess my follow-up question is: how often do you plan to push the rulesets updates @Hainish? In any case, this change and this behaviour should be made very clear at different places (changelog, add-on description, FAQ, etc.) to alleviate some of the concerns raised by @jeremyn. (As a broader point, I think it would be really helpful if you kept the community in the loop when you are making big changes like this one. Not necessarily to argue but at least to inform so we can prepare for what's coming. This was already an issue in #10538.) |
AFAIK, we make a release every 2 weeks with exceptions when there is blocking PRs. The benefit of out of band updates is not obvious unless we are pushing much more frequent than that. Unlike uBlock, HTTPSE and PB are privacy focused extensions. We should avoid phoning home while leaving the users unnoticed (as they are privacy/ security conscious). IMHO, out of band ruleset updates should be made on request (require user interactions) or on a opt-in basis. Besides, we rarely make core code changes. @Hainish How often are we going to make core releases when we have out of band ruleset updates? We should make the (ruleset & core code) release policies clearly documented. @jeremyn thanks for bringing this issue to the discussion!! |
uBlock Origin is a privacy focused extension, since blocking ads also decreases the amount of tracking and there are also lists (some enabled by default) specifically made to block trackers, even if they are not showing any ads. |
Exactly the reason why out-of-band ruleset database updates are desired. |
Privacy Badger already pings to EFF for updates and I'm not sure if it can be disabled. I guess this is OK since if the user does not trust EFF they would have not installed the extension. I'm not sure if the option should be opt-out, or opt-in, with the extension asking the user when first installed. Opt-out seems better since the user may close the tab the extension opens on startup without paying any attention to its content, resulting in them not getting the ruleset updates quickly. |
|
There are a number of reasons for out-of-band ruleset updates.
In the future we may also expose the update channel to users, so that they themselves can compile ruleset bundles. But this will require us weighing the costs and benefits of adding an additional maintenance burden. |
|
@Hainish Thanks for the detailed response. I would say that my concerns could be met by adding the following:
Optionally:
The motivations for all of these are, I hope, obvious, but I can elaborate if needed. None of these should interfere with the reasons you've given. Also, to repeat, my experience with similar functionality in PB was that the update target (the whitelist) was repeatedly and quietly wiped. If we move to this update model for HTTPS Everywhere then I consider it a more-than-theoretical possibility that the rulesets could be similarly wiped or broken. The above items give users the ability to lock down or reset HTTPS Everywhere to a known-good version. |
This bug was due to the fact that the whitelisted resources in Privacy Badger were not being verified before being applied. When the website had a bug, the whitelist would return a blank result. In this unfortunate edge-case, Privacy Badger happily applied this whitelist, thus causing the extension to malfunction. This will not happen with the ruleset updates, since every ruleset update is cryptographically signed by the extension developers, then verified in each users' extension before being applied. Given this, in what case would you envision the auto-update mechanism causing a fail case so large that we should expose extra options to the user? If privacy is the issue, we should keep in mind that already the users browser pings the extension store every day to check for new updates. EFF has a more stringent privacy policy than AMO or Google, so that shouldn't be a concern. |
|
This being said, I do think you're right in this:
|
|
The ruleset updates will already have a timestamp associated with them, when applied. This is to keep track of whether we need to update the rulesets upon subsequent checks. We can simply use this timestamp, formatted as |
|
The problem isn't with a specific bug, it's about the process. It's like your criticism of Mozilla in "Lax security of AMO updates": a bug was found, Mozilla fixed it, but now you're uncomfortable with their update process. Same thing here, right? A bug in the EFF update process was found, the EFF fixed it, but now a reasonable person could be uncomfortable with the EFF's update process. This reasonable person should have the ability to disable or revert EFF updates. For privacy, it's not about the privacy policy. It's about giving users control over outbound network requests and software updates. To quote myself from EFForg/privacybadger#1466 (comment):
|
|
There's still the issue of the need of a fallback mirror; For example, in China EFF infrastructure is blocked there, so people with HTTPS Everywhere installed there can't benefit from this feature. Is there anyway to add some fallback mirror to for example directly from Github (which is thankfully not blocked there)? |
|
@HTTPSNowhere I guess that Github is also blocked in China... see https://en.wikipedia.org/wiki/Censorship_of_GitHub#China |
|
No, it is no longer blocked. |
|
@HTTPSNowhere Is CloudFront blocked in China? |
|
@koops76 No (I'm not in China but it's known that CloudFront isn't blocked there, and it's the type of domain front that works with Tor there = i.e. meek-amazon in Tor Browser). Also using CloudFront may seem like a waste when there are Github releases that are free and already offer "unlimited" bandwidth. |
|
@HTTPSNowhere GitHub won't be happy if we would use it as a free CDN. |
|
@koops76 It's only for fallback downloads, which will affect only a small percentage of total users for which EFF infrastructure is blocked. But if they're happy with using CloudFront for all users then that's as great as well. |
|
@HTTPSNowhere the fallback mirror is a good point. I expect if we simply register a new single-purpose domain to serve the rulesets from, this will be allowed through the firewall, but redundancy is always a good thing. We could just serve this from an Amazon S3 instance which is not blocked in China. |
|
@Hainish The advantage is that if the URL is similar to |
|
|
|
@HTTPSNowhere We will need a CDN anyway. We're talking millions of downloads for each ruleset update. |
|
Thanks for stating that a new domain will be chosen exclusively for this task, I thought initially that it would be a subdomain for eff.org. |
|
Assuming my suggestions in #12606 (comment) for enabling/disabling this update functionality are not implemented and users are required to accept these out-of-band updates, what's the intended behavior if the requests for updates always fails? An example might be users behind a firewall that simply drops outbound requests it doesn't recognize. |
|
More concerns: What about users with very limited or expensive bandwidth? There may be users who don't want to use or can't afford even tiny amounts of extra bandwidth. Currently these users can get all updates offline, if someone else downloads the entire extension to a disk and then shares the disk with them. Regarding my UI suggestions, unfortunately it seems creating a UI for WebExtensions in Firefox for Android is especially challenging (see @Hainish 's comment here: #9958 (comment)). so maybe it won't be possible to implement my UI suggestions there even if we wanted to. I suppose mobile users are also the most likely to be sensitive to bandwidth availability and price. Also, what about users in areas who might be endangered by visiting |
|
@jeremyn I don't think we should approve third parties to supply updates through physical media. Even if the rulesets are signed the media may contain malware in addition to the rulesets. |
|
@jeremyn Re. the third point: These users should not install HTTPSE if it's too dangerous. We shouldn't have others' safety depend on how well we hide our requests. |
|
@Hainish said,
@jeremyn said,
This is a pretty important sub-conversation. I think there's a possible middle road here involving earlier heads-ups as well as clear signals to everyone involved about what phase a decision's in (e.g., "super open to fundamental change" versus "let's figure out how to implement this well"). Towards that goal, I've posted a tentative architectural/feature roadmap to the HTTPS Everywhere mailing list that I hope project maintainers will comment on; the items marked "Potential" in particular would probably benefit from replies on that list, or in relevant issues in this repo, on whether they'd be useful and implementation concerns/suggestions. |
|
I am the ex-maintainer of HTTPSE and now a maintainer of Brave, which is a downstream user of HTTPS Everywhere rulesets. I just wanted to say that it would be pretty useful for us to have the HTTPS Everywhere rulesets available separate from the extension itself on an endpoint with some level of trustworthiness, ranging from "valid TLS cert on eff.org" to "code signed by offline HTTPS Everywhere signing key". My current update process is: wait for Bill to email out about an extension update, verify that there are no breaking changes to ruleset format, download the XPI, unzip, extract rulesets, re-package for Brave. Compared to other upstream lists like Tracking Protection, HTTPS Everywhere is relatively difficult to auto-update for a downstream project like Brave. |
|
It seems to me the main advantages of out-of-band updates are to allow more frequent ruleset updates and to let users choose to consume different ruleset feeds. From @diracdeltas 's comment it sounds like Brave just wants a more convenient way to consume the official rulesets at the same pace as the regular release cycle. We could solve that problem within the regular release process, for example @Hainish could separately package whatever @diracdeltas normally extracts and put a signed version of that up on the EFF website. The more complex update process proposed here isn't needed for that. |
|
After careful consideration I've decided to incorporate a few sub-features based on contributor feedback:
With these improvements, a relatively simple update mechanism can be added which addresses all the considerations I've listed above. Over time, we can build out a more comprehensive ux for the update channels, as I noted above. Newcomers to this issue: you can track the progress of this feature in the sign-rulesets branch. |
|
Closing this for now, since I've incorporated feedback from this discussion. Happy to have more feedback, though! |
|
Some of my points were not addressed, such as those in #12606 (comment) (versioning, reset-to-stock, status dashboard) and my concern in #12606 (comment) about what happens if updates are permanently unavailable for a particular user. |
|
@jeremyn updates will not cease to be available through extension updates. These will continue to be delivered for the foreseeable future. I suggest opening separate issues for feature specifics. |
|
@Hainish I opened this issue to have a discussion here, and the comments I linked are over three months old now. I understand wanting to wrap up an open-ended discussion but I brought those points up very early on. It would be great if you could give at least high level answers to those concerns here. If you implement those features and I have questions/suggestions for the implementation, I can make new issues then. |
|
@jeremyn I have addressed these issues, repeatedly in comments. See #12606 (comment), #12606 (comment), as well as having implemented the ruleset toggle you mentioned in https://github.com/EFForg/https-everywhere/tree/sign-rulesets. Again, if you have specific requests on the development of this branch, let's move that to individual issues. |
|
@Hainish You did mention your support for versioning in #12606 (comment), thanks for pointing that out. Also I suppose that for the user whose updates are permanently broken, the implied fix is to wait until the next full extension update. You haven't, as far as I know, addressed the reset-to-stock or status dashboard ideas, but those aren't really that important. You keep mentioning the https://github.com/EFForg/https-everywhere/tree/sign-rulesets branch. Are you expecting contributors to monitor that branch and jump in if they have questions? Is that instead or, or will there also be, an announced alpha/beta release with enough time allowed to get and incorporate feedback? |
|
@jeremyn For Incorporating the sign-rulesets into a beta release seems like a good idea, and relates to the email sent by @brainwane over the list. It does open broader issues of beta channel release overhead, which I'm hesitant to introduce. For now, the |
Hainish
added
the
sign-rulesets
|
@Hainish So, my main concern with the functionality of this feature is to avoid the negative experience I had with the similar feature in Privacy Badger, which I discussed in my earliest comments in this discussion. I didn't know the feature existed in Privacy Badger, was surprised to find out it was contacting the EFF for updates, things cycled through breaking and working, and I couldn't stop, reset, or even know when these updates were happening. I'm not really concerned about the inclusion of any one specific subfeature, but rather that the unified whole is robust to failure, even in hostile networks, and that problems can be avoided, or fixed automatically or fixed by very low technical users. There's no mock/whiteboard/design document for what you are implementing so it's difficult to discuss it at that level, so instead we've been talking about individual subfeatures, which misses the point. (I'm not saying you need to produce a design document or anything, I'm just trying to explain one reason why this conversation has been perhaps a little awkward.) I probably won't track an active development branch in order to give comments. Maybe other contributors will do that. I think you would find it irritating for people to do that, most developers don't want to get bug reports on stuff they are actively coding. I understand what you mean about the burden of making a beta release, particularly in this case where you have no guarantee that anyone will review it even if the beta release is packaged beautifully. I'm not sure what to suggest about that. Maybe you could build a week or two gap in the middle of the development cycle for |
The reason for that failure, as well as why it doesn't affect this branch, was explained over four months ago: #12606 (comment). After implementing the sub-features in #12606 (comment), I think the most sensible thing to do is to solicit reviews, with instructions on how to build and test from |
|
@Hainish Where Privacy Badger failed, for me, wasn't in whether it verified downloads, but in that it didn't tell the user what was happening and gave them no tools to fix problems. If you want to talk about how you're avoiding the Privacy Badger problem, the discussion should be about UX/UI improvements, not about cryptographic signing, which is good but not really the issue. If you had a phone, and one day you discovered the phone has been bricked, and you learn it's because some update failed, would you be upset at the vendor because of the update bug, or would you be upset because there was a way for your phone to be bricked without warning and with no way to recover it? Probably the second, and you wouldn't really care about the update bug at that point. That sounds reasonable about announcing a review. If no one responds, there's not much you can do. Is there, or will there be, a ruleset endpoint available for testing? |
|
@jeremyn from a user perspective you are suggesting it be clear how to turn the feature on and off, plus having some sort of indication of an error if things fail? |
|
@wonderchook Yes, pretty much. Turn on or off, show the current version, report errors in a friendly way, and allow users to roll back updates. |
|
@jeremyn I'll consider the best way to balance user controls and clear design for this PR. Notably, I've mentioned that certain UX controls will have to be added later, as we build out this feature. Others (such as display of the ruleset version and source) may make sense for initial rollout. |
|
https://github.com/EFForg/https-everywhere/tree/sign-rulesets now includes versioning information for rulesets in the popup. |
This applies the out-of-band ruleset updates, sourced from https://www.https-rulesets.org/. Clients perform a periodic check for new rulesets to download, which are verified with the Web Crypto API using a pinned key, then applied. Ref: #14907, #12606
(@Hainish, @cowlicks:)
There's a code branch https://github.com/EFForg/https-everywhere/tree/sign-rulesets that is intended to allow ruleset updates out-of-band from regular version updates. The idea is that HTTPS Everywhere will request ruleset updates from a central EFF server periodically with the effect that rulesets will update from time to time without the version
year.month.daychanging.Privacy Badger does something similar for a whitelist it uses. Recently there were some problems with the updates which lead to a frustrating experience for me, see EFForg/privacybadger#1466. After I understood what was happening, I argued against it, see for example EFForg/privacybadger#1466 (comment) and the related discussion.
I think this is also a bad idea for HTTPS Everywhere and I'd like to understand why this change is being made. I would at least like to avoid the user experience of things cycling between breaking and working for no apparent reason that I had with Privacy Badger.
The text was updated successfully, but these errors were encountered: