[HTTPS-E Rulesets] Big Yellow Taxi
John Wallace
b1-x at outlook.com
Fri Mar 14 14:35:34 PDT 2014
Using Firefox 27.0 (aka Aurora) with the latest and greatest Https-Everywhere in Linux (aka, Hardened-Gentoo), I tried visiting this page:
https://wiki.gentoo.org/wiki/Xorg/Hardware_3D_acceleration_guide
...but it failed with this error:
Secure Connection Failed
An error occurred during a connection to wiki.gentoo.org.
The OCSP response is not yet valid (contains a date in the future).
Error code: sec_error_ocsp_future_response
* the page you are trying to vie cannot be shown because the authenticity
of the received data could not be verified....(etc ..)
------------------
After some head-scratching and a little research, I found this in regard to OCSP in Firefox:
https://wiki.mozilla.org/CA:Recommended_Practices
"OCSP responders should be set up to listen on a standard port (e.g. port
80), because firewalls may block ports other than 80/443. Firefox and
some other clients do not work with HTTPS OCSP responders, and many
firewalls block requests that aren't over port 80, so OCSP responders
must be accessible over HTTP (not only HTTPS) on port 80."
So, this prompted me to change the https to http and retry. My hunch was right and it then allowed access. Naturally, this got me thinking in general about the possible significance of its effect on https-everywhere. If any site were using an 'HTTPS OCSP responder', well, this would lead to a similar problem for everyone else with this extension installed. Furthermore, in some cases the person might be challenged by this problem and not get the notion that changing it from https to http would avert the issue. In any case, I wanted to throw this out here so that you could take it into consideration if someone else has not already brought it up.
I am not a developer, and I am not sure why Gentoo's site would have a future date. I do now know how to check whether that is really true, and I do not know whether there is a better solution than simply changing the link 'ad hoc' from https to http. Is there?
I do for sure appreciate having this feature with Https-Everywhere. Thanks for all the hard work you guys do on this vitally important cause. For those who do not care enough about it, I am reminded of a wonderful song by Joni Mitchell, "Big Yellow Taxi", which includes these lyrics:
>>> ...You don't know what you got till it's gone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere-rules/attachments/20140314/1108eba2/attachment.html>
More information about the HTTPS-Everywhere-Rules
mailing list