EFF Project Ideas for GSoC and OPW
Damian Johnson

Damian Johnson commited on 2013-04-28 23:50:53
Zeige 1 geänderte Dateien mit 119 Einfügungen und 0 Löschungen.


Adding Peter's project ideas for this year's GSoC and OPW.


... ...
@@ -1343,6 +1343,125 @@ meetings around the world.</li>
1343 1343
     </p>
1344 1344
     </li>
1345 1345
 
1346
+    <a id="reportingBuggyRulesets"></a>
1347
+    <li>
1348
+    <b>Automated Reporting of Buggy Rulesets</b>
1349
+    <br>
1350
+    Effort Level: <i>Medium</i>
1351
+    <br>
1352
+    Skill Level: <i>Medium</i>
1353
+    <br>
1354
+    Likely Mentors: <i>Peter Eckersley (pde), Seth Schoen</i>
1355
+    <p>
1356
+When users manually disable an HTTPS Everywhere ruleset via the toolbar menu,
1357
+that's a strong hint that that ruleset might be buggy.  If we could obtain
1358
+statistics about which rulesets are manually disabled by the users of which
1359
+HTTPS E versions, we could get a statistical picture of which rulesets need
1360
+the most urgent debugging and/or disablement.  This would enormously improve
1361
+the quality of the HTTPS Everywhere user experience.
1362
+    </p>
1363
+
1364
+    <p>
1365
+HTTPS Everywhere already includes a pipeline for anonymised user submissions
1366
+(via Tor where available) that is used for the Decentralized SSL Observatory.
1367
+We should do a popup that asks the users to submit anonymous reports of
1368
+disabled rules, when they manually disable one for the first time.
1369
+    </p>
1370
+
1371
+    <p>
1372
+Perhaps this feature could optionally let users submit the URL of the page
1373
+they were looking at when the bug occurred, although we would need to take
1374
+care in handling those, and perhaps implement some countermeasures against
1375
+sending passwords or auth tokens when URLs contain those.
1376
+    </p>
1377
+    </li>
1378
+
1379
+    <a id="httpsEverywhereForFirefoxModile"></a>
1380
+    <li>
1381
+    <b>Port HTTPS Everywhere to Firefox Mobile</b>
1382
+    <br>
1383
+    Effort Level: <i>Medium</i>
1384
+    <br>
1385
+    Skill Level: <i>Medium</i>
1386
+    <br>
1387
+    Likely Mentors: <i>Peter Eckersley (pde), Seth Schoen</i>
1388
+    <p>
1389
+In the past a Firefox Mobile port of HTTPS Everywhere was made impractically
1390
+complicated by the Electrolysis threading architecture used in that variant of
1391
+Firefox (<a href="https://trac.torproject.org/projects/tor/ticket/2471">ticket</a>).  However with
1392
+the implementation of the simple NSIHTTPChannel.redirectTo() API in Firefox
1393
+20+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=765934">ticket</a>) we are probably very
1394
+close to having a trivial port of HTTPS Everywhere to Firefox on Android.
1395
+    </p>
1396
+
1397
+    <p>
1398
+This would make a great GSOC project for someone who'd like to learn some
1399
+introductory skills with hacking on the internals of real web browsers!
1400
+    </p>
1401
+    </li>
1402
+
1403
+    <a id="httpsEverywhereMixedContentHandling"></a>
1404
+    <li>
1405
+    <b>HTTPS Everywhere mixed content detection and handling</b>
1406
+    <br>
1407
+    Effort Level: <i>Medium</i>
1408
+    <br>
1409
+    Skill Level: <i>Medium</i>
1410
+    <br>
1411
+    Likely Mentors: <i>Peter Eckersley (pde), Seth Schoen</i>
1412
+    <p>
1413
+Since version 20, Chrome has automatically blocked the loading of insecure
1414
+HTTP scripts and CSS in HTTPS pages.  Firefox version 23 will do the same.
1415
+This is good security practice, but it causes havoc with many sites where
1416
+HTTPS Everywhere can secure some, but not all, of the site's content.
1417
+    </p>
1418
+
1419
+    <p>
1420
+Before Firefox 23 launches, we will need a more coherent plan for detecting
1421
+sites where we are causing these mixed content situations, and either
1422
+disabling or working around the limitation.  Failure to do so will mean that
1423
+HTTPS Everywhere user experience worsens dramatically when Firefox 23 is
1424
+released.  Success will mean a dramatic improvement in user experience with
1425
+HTTPS Everywhere for Chrome.
1426
+    </p>
1427
+
1428
+    <b>Critical-path tickets:</b>
1429
+
1430
+    <ul>
1431
+      <li><a href="https://trac.torproject.org/projects/tor/ticket/6975">6975</a></li>
1432
+      <li><a href="https://trac.torproject.org/projects/tor/ticket/8664">8664</a></li>
1433
+      <li><a href="https://trac.torproject.org/projects/tor/ticket/8776">8776</a></li>
1434
+    </ul>
1435
+
1436
+    <b>Related tickets:</b>
1437
+
1438
+    <ul>
1439
+      <li><a href="https://trac.torproject.org/projects/tor/ticket/3777">3777</a></li>
1440
+      <li><a href="https://trac.torproject.org/projects/tor/ticket/6977">6977</a></li>
1441
+    </ul>
1442
+    </li>
1443
+
1444
+    <a id="httpsEverywhereRulesetTesting"></a>
1445
+    <li>
1446
+    <b>Incorporate Ruleset Testing into the HTTPS Everywhere release process</b>
1447
+    <br>
1448
+    Effort Level: <i>Medium</i>
1449
+    <br>
1450
+    Skill Level: <i>Medium</i>
1451
+    <br>
1452
+    Likely Mentors: <i>Peter Eckersley (pde), Seth Schoen</i>
1453
+    <p>
1454
+Ondrej Mikle has implemented a codebase for testing HTTPS Everywhere rulesets
1455
+by crawling pages that are affected by the ruleset (<a href="https://github.com/hiviah/https-everywhere-checker">repository</a>).
1456
+    </p>
1457
+
1458
+    <p>
1459
+This codebase still has some rough edges that need to be smoothed over, but
1460
+once those are done it should be incorporated into the HTTPS Everywhere build
1461
+process, in order to improve the quality of our releases.
1462
+    </p>
1463
+    </li>
1464
+
1346 1465
     <li>
1347 1466
     <b>Bring up new ideas!</b>
1348 1467
     <br>
1349 1468