[HTTPS-Everywhere] bbc.co.uk attempts to use user installed certificates?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Mar 11 07:49:18 PDT 2014
On 03/10/2014 07:17 PM, Austin English wrote:
> An example URL:
> http://www.bbc.co.uk/news/magazine-25816000 which then redirects to
> http://www.bbc.com/news/magazine-25816000
Interesting, i'm not seeing this behavior at all on my end. i wonder if
it's particular to your network path.
> See the attached screenshot (slightly edited for privacy reasons).
>
> @Daniel, I'm not sure how to get the IP address of the server being used.
> Running host on those domains returns several IPs..any tips?
one thing you could do is to run tcpdump or wireshark to capture your
own traffic when the web page is visited; then inspect the traffic (e.g.
with wireshark) to see which server sends a "CertificateRequest" TLS
message.
to start capturing packets with tcpdump to a file named debug.pcap if
your network interface is named "eth0", do:
tcpdump -w debug.pcap -i eth0 -s 2048 'tcp port 443'
(you might need to have superuser privileges to run tcpdump like this)
then as your regular user, visit the web page to get it to trigger the
certificate request in your browser.
then hit Ctrl-C in the terminal running tcpdump.
as a regular user, you can point wireshark at that packet dump to
inspect it. If you are comfortable sharing it privately, and you want
help investigating it, you can send it to me off-list and i'll take a
look at it with you.
> One other important thing I just noticed. The BBC (partial) rule is enabled
> (by default), but BBC.com (false MCB) is not. Enabling that rule the gives
> me https bbc.com urls, but Firefox warns me that the page is only partially
> encryped. The page still pops up the certificate dialog, however.
yep, they've definitely got a mixed-content problem at the BBC :(
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140311/b2683d95/attachment.sig>
More information about the HTTPS-Everywhere
mailing list