DuckDuckGo Smarter Encryption Update Channel (#20049)

* Add Architecural Design decision doc for DuckDuckGo Smart Encryption
- Update License TXT reflecting changes

* Add note about manual ruleset changes ending in contributor guide

* add path for new update channel

* add path for new update channel

* Adding Smarter Encryption Update Channel
- Adding documentation explaining new update channel
- Add update channel
- Add generated bloom files for transparency

* Update test condition

* Fix branding typos

Author: zoracon

CONTRIBUTING.md

@@ -142,6 +142,8 @@ HTTPS Everywhere is maintained by a limited set of staff and volunteers.  Please
 
 ### General Info
 
+**On May 31st, 2021 we will end manual additions to the rulesets.** Please see [this explanation on the future of HTTPSE Rulesets.](`https://github.com/EFForg/https-everywhere/blob/master/docs/adr/duckduckgo-smarter-encryption.md`)
+
 Thanks for your interest in contributing to the HTTPS Everywhere `rulesets`! There's just a few things you should know before jumping in. First some terminology, which will help you understand how exactly `rulesets` are structured and what each one contains:
 
 * `ruleset`: a scope in which `rules`, `targets`, and `tests` are contained. `rulesets` are usually named after the entity which controls the group of `targets` contained in it.  There is one `ruleset` per XML file within the `src/chrome/content/rules` directory.

LICENSE.txt

@@ -5,8 +5,11 @@ Licensed GPL v2+
 HTTPS Everywhere Rulesets (src/chrome/content/rules):
 To the extent copyright applies to the rulesets, they can be used according to GPL v2 or later.
 
+The DuckDuckGo Smarter Encryption list, utilized by HTTPS Everywhere at https://www.https-rulesets.org/ddgse, is publicly available under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0. International license. 
+If you'd like to license the list for commercial use, please reach out to: https://help.duckduckgo.com/duckduckgo-help-pages/company/contact-us/
+
 Issue Format Bot (utils/issue-format-bot/*):
 Copyright © 2017 AJ Jordan, AGPLv3+
 
-The build system incorporates code from Python 3.6
-Copyright © 2001-2018 Python Software Foundation; All Rights Reserved
+The build system incorporates code from Python 3.6 and Python 3 respectively
+Copyright © 2001-2018 Python Software Foundation; All Rights Reserved

chromium/background-scripts/update_channels.js

@@ -4,22 +4,41 @@
 
 (function (exports) {
 
-exports.update_channels = [{
-  name: 'EFF (Full)',
-  jwk: {
-    kty: 'RSA',
-    e: 'AQAB',
-    n: '1cwvFQu3Kw-Pz8bcEFuV5zx0ZheDsc4Tva7Qv6BL90_sDLqCW79Y543nDkPtNVfFH_89pt2kSPp_IcS5XnYiw6zBQeFuILFw5JpvZt14K0s4' +
-       'e025Q9CXfhYKIBKT9PnqihwAacjMa6rQb7RTu7XxVvqxRb3b0vx2CR40LSlYZ8H_KpeaUwq2oz-fyrI6LFTeYvbO3ZuLKeK5xV1a32xeTVMF' +
-       'kIj3LxnQalxq-DRHfj7LRRoTnbRDW4uoDc8aVpLFliuO79jUKbobz4slpiWJ4wjKR_O6OK13HbZUiOSxi8Bms-UqBPOyzbMVpmA7lv_zWdaL' +
-       'u1IVlVXQyLVbbrqI6llRqfHdcJoEl-eC48AofuB-relQtjTEK_hyBf7sPwrbqAarjRjlyEx6Qy5gTXyxM9attfNAeupYR6jm8LKm6TFpfWky' +
-       'DxUmj_f5pJMBWNTomV74f8iQ2M18_KWMUDCOf80tR0t21Q1iCWdvA3K_KJn05tTLyumlwwlQijMqRkYuao-CX9L3DJIaB3VPYPTSIPUr7oi1' +
-       '6agsuamOyiOtlZiRpEvoNg2ksJMZtwnj5xhBQydkdhMW2ZpHDzcLuZlhJYZL_l3_7wuzRM7vpyA9obP92CpZRFJErGZmFxJC93I4U9-0B0wg' +
-       '-sbyMKGJ5j1BWTnibCklDXtWzXtuiz18EgE'
+exports.update_channels = [
+  {
+    name: 'EFF (Full)',
+    jwk: {
+      kty: 'RSA',
+      e: 'AQAB',
+      n: '1cwvFQu3Kw-Pz8bcEFuV5zx0ZheDsc4Tva7Qv6BL90_sDLqCW79Y543nDkPtNVfFH_89pt2kSPp_IcS5XnYiw6zBQeFuILFw5JpvZt14K0s4' +
+        'e025Q9CXfhYKIBKT9PnqihwAacjMa6rQb7RTu7XxVvqxRb3b0vx2CR40LSlYZ8H_KpeaUwq2oz-fyrI6LFTeYvbO3ZuLKeK5xV1a32xeTVMF' +
+        'kIj3LxnQalxq-DRHfj7LRRoTnbRDW4uoDc8aVpLFliuO79jUKbobz4slpiWJ4wjKR_O6OK13HbZUiOSxi8Bms-UqBPOyzbMVpmA7lv_zWdaL' +
+        'u1IVlVXQyLVbbrqI6llRqfHdcJoEl-eC48AofuB-relQtjTEK_hyBf7sPwrbqAarjRjlyEx6Qy5gTXyxM9attfNAeupYR6jm8LKm6TFpfWky' +
+        'DxUmj_f5pJMBWNTomV74f8iQ2M18_KWMUDCOf80tR0t21Q1iCWdvA3K_KJn05tTLyumlwwlQijMqRkYuao-CX9L3DJIaB3VPYPTSIPUr7oi1' +
+        '6agsuamOyiOtlZiRpEvoNg2ksJMZtwnj5xhBQydkdhMW2ZpHDzcLuZlhJYZL_l3_7wuzRM7vpyA9obP92CpZRFJErGZmFxJC93I4U9-0B0wg' +
+        '-sbyMKGJ5j1BWTnibCklDXtWzXtuiz18EgE'
+    },
+    update_path_prefix: 'https://www.https-rulesets.org/v1/',
+    scope: '',
+    replaces_default_rulesets: true
   },
-  update_path_prefix: 'https://www.https-rulesets.org/v1/',
-  scope: '',
-  replaces_default_rulesets: true
-}];
+  {
+    name: 'DuckDuckGo Smarter Encryption',
+    format: 'bloom',
+    jwk: {
+      kty: 'RSA',
+      e: 'AQAB',
+      n: '1cwvFQu3Kw-Pz8bcEFuV5zx0ZheDsc4Tva7Qv6BL90_sDLqCW79Y543nDkPtNVfFH_89pt2kSPp_IcS5XnYiw6zBQeFuILFw5JpvZt14K0s4' +
+        'e025Q9CXfhYKIBKT9PnqihwAacjMa6rQb7RTu7XxVvqxRb3b0vx2CR40LSlYZ8H_KpeaUwq2oz-fyrI6LFTeYvbO3ZuLKeK5xV1a32xeTVMF' +
+        'kIj3LxnQalxq-DRHfj7LRRoTnbRDW4uoDc8aVpLFliuO79jUKbobz4slpiWJ4wjKR_O6OK13HbZUiOSxi8Bms-UqBPOyzbMVpmA7lv_zWdaL' +
+        'u1IVlVXQyLVbbrqI6llRqfHdcJoEl-eC48AofuB-relQtjTEK_hyBf7sPwrbqAarjRjlyEx6Qy5gTXyxM9attfNAeupYR6jm8LKm6TFpfWky' +
+        'DxUmj_f5pJMBWNTomV74f8iQ2M18_KWMUDCOf80tR0t21Q1iCWdvA3K_KJn05tTLyumlwwlQijMqRkYuao-CX9L3DJIaB3VPYPTSIPUr7oi1' +
+        '6agsuamOyiOtlZiRpEvoNg2ksJMZtwnj5xhBQydkdhMW2ZpHDzcLuZlhJYZL_l3_7wuzRM7vpyA9obP92CpZRFJErGZmFxJC93I4U9-0B0wg' +
+        '-sbyMKGJ5j1BWTnibCklDXtWzXtuiz18EgE'
+    },
+    update_path_prefix: 'https://www.https-rulesets.org/ddg/',
+    scope: '',
+  }
+];
 
 })(typeof exports === 'undefined' ? require.scopes.update_channels = {} : exports);

chromium/test/update_test.js

@@ -40,9 +40,9 @@ describe('update.js', function() {
           resolve();
         }));
 
-        if(apply_promises.length == update_channels.length) {
-          Promise.all(apply_promises).then(() => done());
-        }
+
+        Promise.all(apply_promises).then(() => done());
+
       }});
 
     });

docs/adrs/bloom-filter-rule-signing.md

@@ -0,0 +1,28 @@
+# Bloom Filters and Async Rust for Ruleset Signing
+
+* Status: Deployed
+* Deciders: EFF (@zoracon and @hainish)
+* Deploy Date: 2021-03-03
+
+## Context and Problem Statement
+
+With larger ruleset lists to be signed on the DuckDuckGo Update channel, a better way to digest and form ruleset files were needed.
+
+## Decision Drivers
+
+* Bloom filters are able to ingest greater data sets at less memory expense
+* Rust is already incorporated in HTTPS Everywhere and is a memory safe language
+
+## Decision Outcome
+
+Created an async Rust script that ingests DuckDuckGo's Smarter Encryption list, compares to the Majestic Million list, and forms a bloom file and associated metadata.
+
+### Consequences and Concerns
+
+An accepted false positive is declared when the filter is generated.
+
+[Comment](https://github.com/EFForg/https-everywhere/pull/19910#issuecomment-771102775)
+
+## Links for Further Context
+* [Bloom Filter Script](https://github.com/EFForg/generate-smarter-encryption-bloom-filter)
+

docs/adrs/duckduckgo-smarter-encryption.md

@@ -0,0 +1,33 @@
+# Incorporating DuckDuckGo Smarter Encryption
+
+* Status: Pending
+* Deciders: EFF (@zoracon and @hainish) and DuckDuckGo
+* Deploy Date: 2021-04-15
+
+## Context and Problem Statement
+
+With the increased HTTPS traffic, the current model of listed sites that support HTTPS is no longer a maintenance task that makes sense to uphold.
+
+## Decision Drivers
+
+* Firefox has an HTTPS-Only option
+* Browsers and websites are moving away from issues that created need for more granular ruleset maintenance.
+    * Mixed content is now blocked in major browsers
+    * Different domains for secure connection are now an older habit (i.e. secure.google.com)
+    * TLS 1.0, 1.1 deprecation 
+* Chrome’s Manifest V3 will force the extensions to have a ruleset cap. Instead of competing with other extensions like DuckDuckGo,  if the user prefers to use HTTPS Everywhere or DuckDuckGo's privacy essentials, we will provide the same coverage.
+* DuckDuckGo’s Smarter Encryption covers more domains than our current, more manual model.
+
+## Decision Outcome
+
+We chose to add the DuckDuckGo Smarter Encryption update channel, because it no longer is beneficial to diverse efforts with others with similar goals in this space.
+
+### Consequences and Concerns
+
+* We have many downstream partners supported and unofficial that rely on our current rulesets. This transition gives them time to make the needed decisions on their before we completely switch over to using DuckDuckGo's Smarter Encryption, and sunset our current rulesets in HTTPS Everywhere
+* …
+
+## Links for Further Context
+
+* https://spreadprivacy.com/duckduckgo-smarter-encryption/
+* https://www.eff.org/deeplinks/2020/11/10-years-https-everywhere

utils/sign-bloom/ddgse

@@ -0,0 +1 @@
+{"bitmap_bits":11364392,"k_num":24,"sha256sum":"371bfb628062de163947c1226d99a5f3823e6fe1bc0838d24e0deffad1c96ee2","sip_keys":[["4746789603923246281","9835731802354323261"],["11277193235900924841","7296056854142719726"]]}