[HTTPS-Everywhere] bbc.co.uk attempts to use user installed certificates?
Yan Zhu
yan at eff.org
Wed Mar 26 12:09:11 PDT 2014
On 03/26/2014 11:21 AM, Daniel Kahn Gillmor wrote:
> On 03/18/2014 08:05 PM, Austin English wrote:
>> I see that Eitan sent a traffic dump, do you still need one from me?
>
> Nope, sorry about the delay!
>
> I reviewed Eitan's packet dump and it looks like www.live.bbc.co.uk is
> the culprit here.
>
> here's the DNS lookup for it for me right now:
>
> www.live.bbc.co.uk. 241 IN CNAME www-live.bbc.net.uk.
> www-live.bbc.net.uk. 241 IN A 212.58.244.72
> www-live.bbc.net.uk. 241 IN A 212.58.244.73
>
> and indeed, i get a CERTIFICATE REQUEST in the debug log spew when i
> make an initial single connection to the server (rather than it
> triggering a certiifcate request as part of a re-handshake after a given
> path is requested, which is a common HTTPS use case):
>
> gnutls-cli --debug 9999 www.live.bbc.co.uk
>
> So this is what's causing the popup for Austin, i think.
>
> I don't know anyone at the BBC who might be able to explain why their
> server is making these requests -- perhaps they have some clients that
> need authenticated access?
>
> Does anyone on the list know anyone at the BBC who might be able to
> comment on this?
Great job tracking down this bug! I've pinged the EFF person most likely
to know someone at BBC.
> Does HTTPS-Everywhere need to distinguish sites that might automatically
> prompt for client-side authentication like this?
>
> is there a concrete bug we need to be addressing here, either in HTTPS-E
> or upstream in firefox itself? It's certainly an annoying use case to
> have these unintelligible dialogs pop up mid-pageload when they're not
> actually useful.
I think, if anything, it's something that HTTPS Everywhere should
handle, not Firefox. A maybe-reasonable fix is for HTTPS Everywhere to
supress the popup when it gets CERTIFICATE REQUESTs from subresource
loads (anything that isn't a top-level page load). The connection should
then fall back to SSL without client authentication, although in
practice many seem to fall back to plain HTTP. :)
But maybe client side certs are so rarely used outside of
company-internal websites (and MIT!) that it doesn't seem worth handling
the general case; we can just disable rules by default if they're broken
for people who have client certs installed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140326/f3b02c5d/attachment.sig>
More information about the HTTPS-Everywhere
mailing list