[guardian-dev] "HTTPS Everywhere" for Android itself (not just the browsers)
Hans-Christoph Steiner
hans at guardianproject.info
Sun Jan 18 15:29:54 EST 2015
I don't think it would make a big difference efficiency-wise whether it was
implemented in the app or the browser. But making it an app can help with
situations where only using it in a browser cannot, like when sharing URLs
generated by proprietary apps (e.g. Google Maps uses an HTTP URL for sharing
location). The app wouldn't be so good for re-writing all the URLs contained
in a webpage, e.g analytics sites, javascript sources, etc. The browser-based
solution is the right place for that.
.hc
Patrick Connolly:
> Ah neat! Https Everywhere as an app is a *really *interesting idea, Hans!
> https://github.com/osmandapp/Osmand/pull/1037
> Do you think it'd be a heavier or lighter load on the device compared to a
> straight-up Firefox Add-on?
>
>
> --------------------------------------------
> Q: Why is this email [hopefully] five sentences or less? | A:
> http://five.sentenc.es
>
> *NOTE* that my incoming emails are delayed from arriving in my inbox until
> 9am daily. If you need to reach me sooner, please use other means of
> getting in touch. #slowwebmovement
> <http://www.musubimail.com/gmail_timer.html>
>
> On Sat, Jan 17, 2015 at 1:37 PM, Hans-Christoph Steiner <
> hans at guardianproject.info> wrote:
>
>>
>> I've been playing around with techniques of catching location sharing on
>> Android, and finding way to remove privacy leaks. Android's IntentFilters
>> power to match URLs makes this quite easy to do system-wide.
>>
>> That work got me thinking: maybe it makes sense to have something like
>> "HTTPS
>> Everywhere" as an Android app. It could claim all HTTP links, then the app
>> would check if it has an HTTPS rewriting rule. If yes, it rewrites it and
>> passes it on. If no, it either passes it on, or blocks access with a popup
>> (this could be a preference).
>>
>> As an example use case, there are lots of apps that share location, and
>> basically all of them use a HTTP URL. Some links, like
>> http://maps.google.com
>> or http://openstreetmap.org, can easily be rewritten to HTTPS links.
>> Others
>> like amap.com or map.baidu.com do not offer HTTPS. A shared location
>> link can
>> often be a unique ID, so any network observer could use that to
>> de-anonymize a
>> device.
>>
>> You can find raw work here:
>> https://github.com/eighthave/LocationPrivacy
>>
>> .hc
>>
>> --
>> PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>> Or visit:
>> https://lists.mayfirst.org/mailman/options/guardian-dev/patrick.c.connolly%40gmail.com
>>
>> You are subscribed as: patrick.c.connolly at gmail.com
>>
>
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
More information about the Guardian-dev
mailing list