[guardian-dev] "HTTPS Everywhere" for Android itself (not just the browsers)

Hans-Christoph Steiner hans at guardianproject.info
Sun Jan 18 15:29:54 EST 2015 

I don't think it would make a big difference efficiency-wise whether it was
implemented in the app or the browser.  But making it an app can help with
situations where only using it in a browser cannot, like when sharing URLs
generated by proprietary apps (e.g. Google Maps uses an HTTP URL for sharing
location).  The app wouldn't be so good for re-writing all the URLs contained
in a webpage, e.g analytics sites, javascript sources, etc. The browser-based
solution is the right place for that.

.hc

Patrick Connolly:
> Ah neat! Https Everywhere as an app is a *really *interesting idea, Hans!
> https://github.com/osmandapp/Osmand/pull/1037
> Do you think it'd be a heavier or lighter load on the device compared to a
> straight-up Firefox Add-on?
> 
> 
> --------------------------------------------
> Q: Why is this email [hopefully] five sentences or less? | A:
> http://five.sentenc.es
> 
> *NOTE* that my incoming emails are delayed from arriving in my inbox until
> 9am daily. If you need to reach me sooner, please use other means of
> getting in touch. #slowwebmovement
> <http://www.musubimail.com/gmail_timer.html>
> 
> On Sat, Jan 17, 2015 at 1:37 PM, Hans-Christoph Steiner <
> hans at guardianproject.info> wrote:
> 
>>
>> I've been playing around with techniques of catching location sharing on
>> Android, and finding way to remove privacy leaks.  Android's IntentFilters
>> power to match URLs makes this quite easy to do system-wide.
>>
>> That work got me thinking: maybe it makes sense to have something like
>> "HTTPS
>> Everywhere" as an Android app.  It could claim all HTTP links, then the app
>> would check if it has an HTTPS rewriting rule.  If yes, it rewrites it and
>> passes it on.  If no, it either passes it on, or blocks access with a popup
>> (this could be a preference).
>>
>> As an example use case, there are lots of apps that share location, and
>> basically all of them use a HTTP URL.  Some links, like
>> http://maps.google.com
>> or http://openstreetmap.org, can easily be rewritten to HTTPS links.
>> Others
>> like amap.com or map.baidu.com do not offer HTTPS.  A shared location
>> link can
>> often be a unique ID, so any network observer could use that to
>> de-anonymize a
>> device.
>>
>> You can find raw work here:
>> https://github.com/eighthave/LocationPrivacy
>>
>> .hc
>>
>> --
>> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit:
>> https://lists.mayfirst.org/mailman/options/guardian-dev/patrick.c.connolly%40gmail.com
>>
>> You are subscribed as: patrick.c.connolly at gmail.com
>>
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81

More information about the Guardian-dev mailing list