[HTTPS-Everywhere] bbc.co.uk attempts to use user installed certificates?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Mar 26 11:21:00 PDT 2014
On 03/18/2014 08:05 PM, Austin English wrote:
> I see that Eitan sent a traffic dump, do you still need one from me?
Nope, sorry about the delay!
I reviewed Eitan's packet dump and it looks like www.live.bbc.co.uk is
the culprit here.
here's the DNS lookup for it for me right now:
www.live.bbc.co.uk. 241 IN CNAME www-live.bbc.net.uk.
www-live.bbc.net.uk. 241 IN A 212.58.244.72
www-live.bbc.net.uk. 241 IN A 212.58.244.73
and indeed, i get a CERTIFICATE REQUEST in the debug log spew when i
make an initial single connection to the server (rather than it
triggering a certiifcate request as part of a re-handshake after a given
path is requested, which is a common HTTPS use case):
gnutls-cli --debug 9999 www.live.bbc.co.uk
So this is what's causing the popup for Austin, i think.
I don't know anyone at the BBC who might be able to explain why their
server is making these requests -- perhaps they have some clients that
need authenticated access?
Does anyone on the list know anyone at the BBC who might be able to
comment on this?
Does HTTPS-Everywhere need to distinguish sites that might automatically
prompt for client-side authentication like this?
is there a concrete bug we need to be addressing here, either in HTTPS-E
or upstream in firefox itself? It's certainly an annoying use case to
have these unintelligible dialogs pop up mid-pageload when they're not
actually useful.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140326/42ea13b9/attachment.sig>
More information about the HTTPS-Everywhere
mailing list