Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Y! / SSL

Eric S Johnson crates at oneotaslopes.org
Sun Oct 5 23:34:17 PDT 2014


(Of course I meant “HTTPS only,” not “HTTP only.”)

 

I’d love to detect an MITM, but in my experience the chances of there truly being an MITM attack going on are very small.

 

I tried connecting to Y! from a different location (different ISP) here in Shanghai, and the connection (in all 3 browsers) flipped to SSL and connected normally/correctly. I wonder whether Y! was redirecting me (to a bad cert) depending on how/where it saw me connecting from, or maybe they fixed a problem they were having earlier today. TBC

 

From: liberationtech [mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Andrew Lewis
Sent: Monday, October 6, 2014 11.59
To: liberationtech
Subject: Re: [liberationtech] Y! / SSL

I am also flipping over to HTTPS, and chrome is reporting that the cert is valid, and upon inspection all looks as it should be. The trust chain goes up to a Versign root cert, so my guess is that is a bad cert you are seeing, and if inside china it might just be a plain old mitm.

 

 

On Oct 5, 2014, at 11:52 PM, Eric S Johnson <crates at oneotaslopes.org <mailto:crates at oneotaslopes.org> > wrote:

I just got back to CN from a vacation. I’m now (in all three main Windows browsers) seeing  <http://yahoo.com/> yahoo.com automatically flip over to HTTPS--and then give a bad cert error. The *root* cert is listed as  <http://yahoo.com/> yahoo.com and is valid “23 Sep 14 to 23 Sep 15.”

 

Is Y! experimenting with making access to their resources always-only-HTTPS? Are they having certificate problems? “HTTP only” seems like a good direction in which to go, but teaching people to accept bad cert warnings seems like a bad direction in which to go.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141006/fd36d719/attachment.html>


More information about the liberationtech mailing list