On 03/18/2014 08:05 PM, Austin English wrote:
> I see that Eitan sent a traffic dump, do you still need one from me?

Nope, sorry about the delay!

I reviewed Eitan's packet dump and it looks like www.live.bbc.co.uk is
the culprit here.

here's the DNS lookup for it for me right now:

www.live.bbc.co.uk.     241     IN      CNAME   www-live.bbc.net.uk.
www-live.bbc.net.uk.    241     IN      A       212.58.244.72
www-live.bbc.net.uk.    241     IN      A       212.58.244.73

and indeed, i get a CERTIFICATE REQUEST in the debug log spew when i
make an initial single connection to the server (rather than it
triggering a certiifcate request as part of a re-handshake after a given
path is requested, which is a common HTTPS use case):

 gnutls-cli --debug 9999 www.live.bbc.co.uk

So this is what's causing the popup for Austin, i think.

I don't know anyone at the BBC who might be able to explain why their
server is making these requests -- perhaps they have some clients that
need authenticated access?

Does anyone on the list know anyone at the BBC who might be able to
comment on this?

Does HTTPS-Everywhere need to distinguish sites that might automatically
prompt for client-side authentication like this?

is there a concrete bug we need to be addressing here, either in HTTPS-E
or upstream in firefox itself?  It's certainly an annoying use case to
have these unintelligible dialogs pop up mid-pageload when they're not
actually useful.

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
HTTPS-Everywhere mailing list
HTTPS-Everywhere@lists.eff.org
https://lists.eff.org/mailman/listinfo/https-everywhere

Reply via email to