On 03/18/2014 08:05 PM, Austin English wrote: > I see that Eitan sent a traffic dump, do you still need one from me?
Nope, sorry about the delay! I reviewed Eitan's packet dump and it looks like www.live.bbc.co.uk is the culprit here. here's the DNS lookup for it for me right now: www.live.bbc.co.uk. 241 IN CNAME www-live.bbc.net.uk. www-live.bbc.net.uk. 241 IN A 22.214.171.124 www-live.bbc.net.uk. 241 IN A 126.96.36.199 and indeed, i get a CERTIFICATE REQUEST in the debug log spew when i make an initial single connection to the server (rather than it triggering a certiifcate request as part of a re-handshake after a given path is requested, which is a common HTTPS use case): gnutls-cli --debug 9999 www.live.bbc.co.uk So this is what's causing the popup for Austin, i think. I don't know anyone at the BBC who might be able to explain why their server is making these requests -- perhaps they have some clients that need authenticated access? Does anyone on the list know anyone at the BBC who might be able to comment on this? Does HTTPS-Everywhere need to distinguish sites that might automatically prompt for client-side authentication like this? is there a concrete bug we need to be addressing here, either in HTTPS-E or upstream in firefox itself? It's certainly an annoying use case to have these unintelligible dialogs pop up mid-pageload when they're not actually useful. --dkg
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list HTTPS-Everywhere@lists.eff.org https://lists.eff.org/mailman/listinfo/https-everywhere