[HTTPS-Everywhere] Sites with incomplete chains
Jacob Hoffman-Andrews
jsha at eff.org
Thu Apr 23 10:25:42 PDT 2015
> Should we write a rule for such a site (e.g. bundesrat.de) or should
> their implementation be regarded as broken?
Sites where Firefox can download the intermediate should be considered
working, and we can write rules for them. We should aim to make the
checker smart enough to not be flummoxed by those sites.
On 04/23/2015 02:44 AM, Jonas Witmer wrote:
> Am 15.02.15 um 19:17 schrieb Jacob Hoffman-Andrews:
>> Good point! I think we are also missing some of the most current
>> certificates from Firefox, which I plan to update:
>> https://support.google.com/dfp_sb/answer/2524536?hl=en. If we still
>> have issues after updating those, we may want to install the
>> transitive closure of those certificates, from the SSL Observatory.
FYI, I have since updated https-everywhere-checker to include the
transitive closure of known CA certificates from the SSL Observatory as
of last month or so. This improved the checker's accuracy a lot, but it
still gets an occasional problem with missing certificates.
If anyone is interested in helping to improve the checker, I'd suggest
running it in disable-broken-rules mode, then going through the results
for false positives, and trying to find and fix the root cause of those
false positives:
python2.7
https-everywhere-checker/src/https_everywhere_checker/check_rules.py
https-everywhere-checker/disable-broken-rulesets.checker.config
Note that you may have to trim the number of threads in the config
depending on your available bandwidth / CPU speed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20150423/4152df01/attachment.html>
More information about the HTTPS-Everywhere
mailing list