[HTTPS-Everywhere] bbc.co.uk attempts to use user installed certificates?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Mar 10 08:53:22 PDT 2014
Hi Austin--
On 03/08/2014 07:25 PM, Austin English wrote:
> I'm not sure if this is a bug or intended behavior, so sending an email
> here. I've got a .p12 certificate imported into Firefox for employer
> related sites. In Firefox 27 on Fedora 64, the first time I browse to a
> site on bbc.co.uk, I receive a dialog asking to use my employer's cert on
> bbc.co.uk. (This cert, of course, has no effect on that site). Clicking
> either ok or cancel will dismiss the dialog, then load the non-https page.
can you supply the full URL that you're seeing this behavior on, and
what IP address is being used for the bbc server (if possible)? i'm
trying to replicate this, and not seeing it.
The TLS X.509 client certificate credential popup dialog box you're
seeing is usually caused by the server sending a TLS CertificateRequest
message.
My tests have connected to bbc.co.uk on TCP port 443 of 212.58.246.104
(from an IP address in the USA), and i don't see any TLS
CertificateRequest message coming from that server when i examine the
traffic in wireshark.
> So, is this a bug or feature? Can HTTPS-Everywhere do anything in this case?
>
> Note: I've disabled the ruleset on my machine as a workaround, but I
> suspect users that have personal certificates in their browser is a
> relatively low proportion, so I wanted to make sure this is a known issue.
I'd be happy to help diagnose the situation if you can help me reproduce
the problem.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140310/0b25d5f5/attachment.sig>
More information about the HTTPS-Everywhere
mailing list