[HTTPS-E Rulesets] Big Yellow Taxi

Seth David Schoen schoen at eff.org
Fri Mar 14 14:58:01 PDT 2014 

John Wallace writes:

> Using Firefox 27.0 (aka Aurora) with the latest and greatest Https-Everywhere in Linux (aka, Hardened-Gentoo), I tried visiting this page:
> 
> https://wiki.gentoo.org/wiki/Xorg/Hardware_3D_acceleration_guide
> 
> ...but it failed with this error: 
> 
> Secure Connection Failed
> An error occurred during a connection to wiki.gentoo.org.
> The OCSP response is not yet valid (contains a date in the future).
> Error code: sec_error_ocsp_future_response
>      * the page you are trying to vie cannot be shown because the authenticity
>         of the received data could not be verified....(etc ..)

Hi John,

Can you check whether the clock on your computer is set accurately?

OCSP is a mechanism to let browsers check whether digital certificates
are still valid.  (It stands for Online Certificate Status Protocol.)
This allows certificate authorities to revoke certificates that are
still being used in the wild, if, for example, the private key is
known to be stolen.  (Without a way for someone other than the site
to revoke the certificate, the legitimate site might stop using the
old certificate after the key was stolen, but whoever stole the key
might put up a fake site that continues using the old certificate to
reassure browsers that the stolen key is valid!)

OCSP is only applicable to HTTPS because HTTP doesn't use digital
certificates at all.  So when you access the site insecurely over
HTTP, OCSP doesn't enter into the picture at all.  However, switching
to HTTP to get rid of the error feels to me like throwing the baby
out with the bathwater.  OCSP is there to make HTTPS connections
safer, but HTTP connections are inherently less safe than HTTPS
connections because HTTP connections don't use any cryptographic
means for ensuring confidentiality or authenticity.

It's not easy to imagine a way that this problem could be caused by the
Gentoo site itself, because the OCSP response is sent by the certificate
authority, not by Gentoo.  It's most likely either a problem with the
clock on your computer or with the certificate authority that Gentoo uses
(apparently DigiCert).  An alternative possibility is that you could
be accessing the Internet from behind a firewall that blocks or tampers
with OCSP replies for some reason.

If your computer's clock turns out to be accurate, maybe you can send
us a copy of the certificate that you're receiving for the site (via
Tools / Page Info / Security / View Certificate / Details / Export...)
and also consider reporting the problem to Gentoo's web team.

Thanks.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107

More information about the HTTPS-Everywhere-Rules mailing list