[HTTPS-Everywhere] bbc.co.uk attempts to use user installed certificates?
Alex Xu
alex_y_xu at yahoo.ca
Mon Mar 10 09:51:25 PDT 2014
On 10/03/14 11:53 AM, Daniel Kahn Gillmor wrote:
> Hi Austin--
>
> On 03/08/2014 07:25 PM, Austin English wrote:
>
>> I'm not sure if this is a bug or intended behavior, so sending an email
>> here. I've got a .p12 certificate imported into Firefox for employer
>> related sites. In Firefox 27 on Fedora 64, the first time I browse to a
>> site on bbc.co.uk, I receive a dialog asking to use my employer's cert on
>> bbc.co.uk. (This cert, of course, has no effect on that site). Clicking
>> either ok or cancel will dismiss the dialog, then load the non-https page.
>
> can you supply the full URL that you're seeing this behavior on, and
> what IP address is being used for the bbc server (if possible)? i'm
> trying to replicate this, and not seeing it.
>
> The TLS X.509 client certificate credential popup dialog box you're
> seeing is usually caused by the server sending a TLS CertificateRequest
> message.
>
> My tests have connected to bbc.co.uk on TCP port 443 of 212.58.246.104
> (from an IP address in the USA), and i don't see any TLS
> CertificateRequest message coming from that server when i examine the
> traffic in wireshark.
>
>> So, is this a bug or feature? Can HTTPS-Everywhere do anything in this case?
>>
>> Note: I've disabled the ruleset on my machine as a workaround, but I
>> suspect users that have personal certificates in their browser is a
>> relatively low proportion, so I wanted to make sure this is a known issue.
>
> I'd be happy to help diagnose the situation if you can help me reproduce
> the problem.
>
> Regards,
>
> --dkg
>
>
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
>
It's not on bbc.co.uk per se; it's on another site whose resources are
requested by the main site. I *think* it's related to video content, but
not sure.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140310/301ba678/attachment.sig>
More information about the HTTPS-Everywhere
mailing list