On 03/18/2014 08:05 PM, Austin English wrote: > I see that Eitan sent a traffic dump, do you still need one from me?
Nope, sorry about the delay!
I reviewed Eitan's packet dump and it looks like www.live.bbc.co.uk is
the culprit here.
here's the DNS lookup for it for me right now:
www.live.bbc.co.uk. 241 IN CNAME www-live.bbc.net.uk.
www-live.bbc.net.uk. 241 IN A 212.58.244.72
www-live.bbc.net.uk. 241 IN A 212.58.244.73
and indeed, i get a CERTIFICATE REQUEST in the debug log spew when i
make an initial single connection to the server (rather than it
triggering a certiifcate request as part of a re-handshake after a given
path is requested, which is a common HTTPS use case):
gnutls-cli --debug 9999 www.live.bbc.co.uk
So this is what's causing the popup for Austin, i think.
I don't know anyone at the BBC who might be able to explain why their
server is making these requests -- perhaps they have some clients that
need authenticated access?
Does anyone on the list know anyone at the BBC who might be able to
comment on this?
Does HTTPS-Everywhere need to distinguish sites that might automatically
prompt for client-side authentication like this?
is there a concrete bug we need to be addressing here, either in HTTPS-E
or upstream in firefox itself? It's certainly an annoying use case to
have these unintelligible dialogs pop up mid-pageload when they're not
actually useful.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list HTTPS-Everywhere@lists.eff.org https://lists.eff.org/mailman/listinfo/https-everywhere
