[HTTPS-E Rulesets] Untrusted certificate on pcworld.com

Yan Zhu yan at eff.org
Fri Apr 4 12:10:43 PDT 2014


On 03/11/2014 02:42 PM, Claudio Moretti wrote:
> Hey Brian,
> 
> I can't even reach PCWorld over HTTPS:
> 
>         Unable to connect
> 
>         Iceweasel can't establish a connection to the server at
>         www.pcworld.com <http://www.pcworld.com>.
> 
>             The site could be temporarily unavailable or too busy. Try
>         again in a few moments.
>             If you are unable to load any pages, check your computer's
>         network connection.
>             If your computer or network is protected by a firewall or
>         proxy, make sure that Iceweasel is permitted to access the Web.
> 
> 
> This probably means that (at least for now) they've taken down their
> HTTPS website. It's not a matter of updating the ruleset, but disabling
> it by default.
> 
> This, though, requires an update to the extension, and I'm not sure what
> the policies for that are.

Nope, it just requires setting the "default_off" attribute in the ruleset.

BTW, this was a serious bug report that probably broke the site for a
lot of users! In the future it would be great if someone could cc me
directly or put [URGENT] in the subject line.

-Yan

> 
> Yan, could you help? :)
> 
> Thanks,
> 
> Claudio
> 
> claudio at Chuck:~$ nmap -p443 pcworld.com <http://pcworld.com>
> www.pcworld.com <http://www.pcworld.com>
> 
> Starting Nmap 6.41SVN ( http://nmap.org ) at 2014-03-11 21:42 GMT
> Nmap scan report for pcworld.com <http://pcworld.com> (70.42.185.10)
> Host is up (0.17s latency).
> rDNS record for 70.42.185.10 <http://70.42.185.10>: www.pcworld.com
> <http://www.pcworld.com>
> PORT    STATE  SERVICE
> 443/tcp closed https
> 
> Nmap scan report for www.pcworld.com <http://www.pcworld.com> (70.42.185.10)
> Host is up (0.17s latency).
> PORT    STATE  SERVICE
> 443/tcp closed https
> 
> Nmap done: 2 IP addresses (2 hosts up) scanned in 0.52 seconds
> 
> 
> 
> On Tue, Mar 11, 2014 at 8:00 PM, Brian Carpenter
> <brian.carpenter at gmail.com <mailto:brian.carpenter at gmail.com>> wrote:
> 
>     While visiting pcworld.com <http://pcworld.com>
>     (https://www.pcworld.com/article/2091801/5-alternatives-to-logmein-free-for-remote-pc-access.html)
>     with HTTPS Everywhere enabled in the latest Chrome stable build, I
>     received this notice from Chrome:
> 
>     You attempted to reach *www.pcworld.com <http://www.pcworld.com>*,
>     but the server presented a certificate issued by an entity that is
>     not trusted by your computer's operating system. This may mean that
>     the server has generated its own security credentials, which Chrome
>     cannot rely on for identity information, or an attacker may be
>     trying to intercept your communications.
> 
>     The certificate is for localhost.localdomain and may indicate a
>     misconfiguration on the part of pcworld.com <http://pcworld.com>,
>     but I don't have contact information for them, at least not contact
>     info for someone who would know what I'm talking about. ;)
> 
>     Might need to push out an update for the pcworld.com
>     <http://pcworld.com> rules. Thanks!
> 
>     Regards,
> 
>     Brian 'geeknik' Carpenter
>     https://twitter.com/geeknik
> 
> 
> 


-- 
Yan Zhu  <yan at eff.org>
Staff Technologist
Electronic Frontier Foundation                  https://www.eff.org
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x134

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere-rules/attachments/20140404/6cfd2fe7/attachment.sig>


More information about the HTTPS-Everywhere-Rules mailing list