Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use HTTPS for instances that support it #153

Merged
merged 3 commits into from
Jan 24, 2024
Merged

Use HTTPS for instances that support it #153

merged 3 commits into from
Jan 24, 2024

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented Jan 12, 2024

Status

Ready for review; needs prod signature

Description

For instances that already redirect to HTTPS, have our ruleset also
point to HTTPS, avoiding one extra HTTP->HTTPS redirect.

Since this information isn't available from the directory, add it as an
optional field to onboarded.txt, which shouldn't be too much extra
maintenance given the few instances that use it.

Fixes #4.

Review Checklist

  • Changes to onboarded.txt are accurate
  • The file default.rulesets.TIMESTAMP.gz has been updated, extracting that file and inspecting the contents of the JSON file produces the expected rules
  • The ruleset has been verified by modifying the HTTPS Everywhere configuration in a Tor Browser instance pointing to Path Prefix: https://raw.githubusercontent.com/freedomofpress/securedrop-https-everywhere-ruleset/$BRANCH_NAME
  • index.html has been updated using ./update_index.sh

Post-Deployment Checklist

  • Added/modified onion names have been updated in the SecureDrop Directory

@legoktm
Copy link
Member Author

legoktm commented Jan 12, 2024

A far simpler approach would be to add a https column to onboarded.txt and use that. I initially dismissed that but given there are just 2 instances that need it, it seems pretty straightforward to maintain.

sddir.py Outdated Show resolved Hide resolved
sddir.py Outdated Show resolved Hide resolved
For instances that already redirect to HTTPS, have our ruleset also
point to HTTPS, avoiding one extra HTTP->HTTPS redirect.

Since this information isn't available from the directory, add it as an
optional field to onboarded.txt, which shouldn't be too much extra
maintenance given the few instances that use it.

Fixes #4.
@legoktm
Copy link
Member Author

legoktm commented Jan 17, 2024

Now updated to store and pull data from onboarded.txt instead of doing live checking.

@zenmonkeykstop zenmonkeykstop dismissed their stale review January 18, 2024 20:08

will re-review with changes

@zenmonkeykstop
Copy link
Contributor

Confirmed that the ruleset changes look consistent with the https option. A new signed ruleset has been added in a separate commit. Final review to follow to verify the rules work in TBB as expected.

@zenmonkeykstop
Copy link
Contributor

(handing off to @nathandyer for live ruleset checks)

@zenmonkeykstop zenmonkeykstop removed their request for review January 24, 2024 20:16
Copy link
Collaborator

@nathandyer nathandyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to report everything worked correctly for me in the live tests, and that the Source Interfaces loaded using HTTPS.

Just a note about the test plan, no changes should be necessary in the directory itself.

@nathandyer nathandyer merged commit 7daa008 into main Jan 24, 2024
4 checks passed
@nathandyer nathandyer deleted the https-onions branch January 24, 2024 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Point to HTTPS onion address for onion services that support it
3 participants