[HTTPS-Everywhere] [pde at eff.org: [URGENT] an easy-to-fix problem with bit.ly HTTPS support]

Peter Eckersley pde at eff.org
Wed Nov 17 15:19:49 PST 2010 

The alternative to getting sites to make these kinds of changes would be for
us to hit some url that caches the StartCom intermediate cert exactly once
after installation.  That would be ugly, but in some ways preferable since it
allows the sites to follow the recommendations that Adam Langely made about
improving SSL performance by omitting intermediate certs:

http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

I could use the SSL observatory data to find a URL that would cause Firefox to
cache the StartCom cert for bit.ly; are there XPCOM calls available to hit a
url without rendering the response anywhere?

----- Forwarded message from Peter Eckersley <pde at eff.org> -----

Date: Wed, 17 Nov 2010 12:22:37 -0800
From: Peter Eckersley <pde at eff.org>
To: inquiries at bit.ly
Subject: [URGENT] an easy-to-fix problem with bit.ly HTTPS support
User-Agent: Mutt/1.5.20 (2009-06-14)

Hi,

We're about to push bit.ly support to ~500,000 people who use the HTTPS
Everywhere Firefox extension (https://eff.org/https-everywhere).  Our users'
browsers will always fetch pages from bit.ly over https:// rather than
http://.

Unfortunately, we've noticed that although your SSL certificate is signed by
StartCom, you don't actually publish the StartCom intermediate certificate at
bit.ly:443.  What this means is that a brand new browser profile will get an
invalid certificate warning if it goes to https://bit.ly!  Once the browser
has been to some other site that publishes the StartCom cert, that certificate
will be cached and https://bit.ly will work.  Adding the StartCom cert to your
certificate chain is a slight performance hit, but it will get rid of the cert
warnings.

PS -- our bit.ly rule is here, your devs might have opinions about it:

https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/Bitly.xml
-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

----- End forwarded message -----

-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list