[HTTPS-Everywhere] 2.0development.1 won't submit cert from "Untrusted connection" page
Peter Eckersley
pde at eff.org
Fri Sep 30 16:34:20 PDT 2011
On Sat, Oct 01, 2011 at 01:01:34AM +0200, Ondrej Mikle wrote:
> Hi,
>
> I've been testing the development version of HTTPS Everywhere for couple of
> days. Works great in general.
>
> An issue I've noticed is that it won't submit certificate to Observatory if
> Firefox displays the "Untrusted connection" page until user adds (temporary)
> exception for the certificate. I'm not sure if that is the intended behavior.
Excellent observation :). We're blocking on this:
https://bugzilla.mozilla.org/show_bug.cgi?id=644640
We could implement the crazy workaround that Moxie Marlinspike has used in
Convergence, which is to make a new root CA, install it in the brower's trust
root, and then man-in-the-middle all outgoing HTTPS connections (!).
Doing that would be a measure of last resort if we really can't get Mozilla to
give us the API we need.
>
> One question about server_ip:
> I noticed HTTPS Everywhere always sends "-1" for the server IP when submitting
> cert to Observatory.
It's -1 because it's not yet implemented. We figured this was okay in an
alpha client :).
> I've heard that Firefox extension API has limitation in
> this, i.e. that extension can know the FQDN, but not the actual IP Firefox uses
> for the connection to server. Extensions that depend on the knowledge of IP,
> e.g. DNSSEC Validator or AS Number employ various workarounds for this. Perhaps
> you know whether the IP-connected-to can be retrieved in FF extension?
Indeed. Our two options are to implement the same workarounds as those
extensions (which I believe will amount to performing a second DNS request --
ie, not good, but maybe better than nothing), or to wait for Firefox to
offer more API functionality. That will probably require changes in NSS, as
discussed in this recent thread:
https://groups.google.com/group/mozilla.dev.platform/browse_thread/thread/bde2c5a32d3dc9d8
--
Peter Eckersley pde at eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list