On 03/26/2014 11:21 AM, Daniel Kahn Gillmor wrote: > On 03/18/2014 08:05 PM, Austin English wrote: >> I see that Eitan sent a traffic dump, do you still need one from me? > > Nope, sorry about the delay! > > I reviewed Eitan's packet dump and it looks like www.live.bbc.co.uk is > the culprit here. > > here's the DNS lookup for it for me right now: > > www.live.bbc.co.uk. 241 IN CNAME www-live.bbc.net.uk. > www-live.bbc.net.uk. 241 IN A 212.58.244.72 > www-live.bbc.net.uk. 241 IN A 212.58.244.73 > > and indeed, i get a CERTIFICATE REQUEST in the debug log spew when i > make an initial single connection to the server (rather than it > triggering a certiifcate request as part of a re-handshake after a given > path is requested, which is a common HTTPS use case): > > gnutls-cli --debug 9999 www.live.bbc.co.uk > > So this is what's causing the popup for Austin, i think. > > I don't know anyone at the BBC who might be able to explain why their > server is making these requests -- perhaps they have some clients that > need authenticated access? > > Does anyone on the list know anyone at the BBC who might be able to > comment on this?
Great job tracking down this bug! I've pinged the EFF person most likely to know someone at BBC. > Does HTTPS-Everywhere need to distinguish sites that might automatically > prompt for client-side authentication like this? > > is there a concrete bug we need to be addressing here, either in HTTPS-E > or upstream in firefox itself? It's certainly an annoying use case to > have these unintelligible dialogs pop up mid-pageload when they're not > actually useful. I think, if anything, it's something that HTTPS Everywhere should handle, not Firefox. A maybe-reasonable fix is for HTTPS Everywhere to supress the popup when it gets CERTIFICATE REQUESTs from subresource loads (anything that isn't a top-level page load). The connection should then fall back to SSL without client authentication, although in practice many seem to fall back to plain HTTP. :) But maybe client side certs are so rarely used outside of company-internal websites (and MIT!) that it doesn't seem worth handling the general case; we can just disable rules by default if they're broken for people who have client certs installed.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
