#24540 closed defect (worksforme)

Weird site issues with Tor & HTTPSEverywhere

Reported by: mroystonward Owned by: jsha
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

https://radicallibrarianship.org fails to load in Tor Browser (7.0.10) on OSX (10.11.6).

The error suggested a certificate error (and may need root certificate). I can't quote exact error right now as will be explained below but it looked like Firefox's default insecure site handling page.

The site loads fine in Tor browser on Debian (Stretch), Windows 7, Android (Orfox) and iOS (OR Browser).

After much reading, prodding and a hunch I disabled HTTPSEverywhere in Tor browser (on the OSX machine) and the site loaded fine.

I then re-enabled HTTPSEverywhere and the site continues to operate in Tor browser so I can no longer replicate and provide further details.

I only looked at this due to reports from other site visitors that it was blocked on Tor. The site isn't being blocked but fails to load on OSX. I can't provide specific details as to OSX/Tor versions for other users at present.

Also note that HTTPSEverywhere doesn't have a redirect rule associated with this site and the site is only availible via HTTPS so in principle it shouldn't be doing anything?

My experiment suggests a weird interaction between Tor and HTTPSEverywhere on OSX only but I can no longer replicate myself as I apear to have 'fixed' it for myself.

I thought I'd raise it here though as someone else might be able to replicate/investigate further.

Child Tickets

Attachments (1)

Screen Shot 2017-12-06 at 22.34.13.png (83.3 KB) - added by mroystonward 21 months ago.
screenshot

Download all attachments as: .zip

Change History (13)

comment:1 Changed 21 months ago by cypherpunks

Status: newneeds_information

It's a certificate error and the site won't work with HTTPS thus, I don't see what this has to do with HTTPS-E, can you clarify?

comment:2 Changed 21 months ago by mroystonward

What makes you say it's a certificate error?

We didn't think it actually was a certificate error, especially as there are no errors or warnings in any other context than Tor Browser (with HTTPS Everywhere) on OSX.

Surely Tor Browser on Debian/Windows etc. would also fail to load the page and provide the warning? Surely this would still be blocked by the browser with HTTPS Everywhere disabled?

comment:3 Changed 21 months ago by cypherpunks

It did work for me now, and it DEFINITELY gave a certificate error before when I tried it.

comment:4 Changed 21 months ago by mroystonward

Okay, well thanks for looking. Was that in Tor Borwser on OS X as we've seen no issues anywhere else?

comment:5 Changed 21 months ago by cypherpunks

(Not the previous poster)

I got a certificate error on Tor browser on Ubuntu 16.04. Disabling HTTPS Everywhere didn't change anything.


I only looked at this due to reports from other site visitors that it was blocked on Tor.

Is that on a public space? If so, can you share the link please?

comment:6 Changed 21 months ago by mroystonward

Yes, https://radicallibrarianship.org/

Thanks again for looking, if we're getting errors on Ubuntu our original working theory of Tor/HTTPS Everywhere on OSX is wrong so we'll have to look at the certificates.

Thanks everyone.

comment:7 Changed 21 months ago by cypherpunks

radicallibrarianship.org uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
The certificate expired on 09/28/2017 11:19 PM. The current time is 12/06/2017 09:22 PM.

Error code: SEC_ERROR_UNKNOWN_ISSUER

Full error if that helps.

comment:8 Changed 21 months ago by mroystonward

Oooh, thanks again, the certificate I'm seeing doesn't have that expirey (has a valid expirey in January) but this site (https://www.ssllabs.com/ssltest/analyze.html?d=radicallibrarianship.org) suggests another, different website but at the same IP address with our hosts, certificate is also being supplied. We're talking to our hosts now.

Changed 21 months ago by mroystonward

screenshot

comment:9 Changed 21 months ago by mroystonward

Just noticed something else though. In Tor browser the certificate hierarchy isn't availible but in Firefox it is??? Screenshot attached. This must be why Tor thinks we need a root certifictate. Is this us or Tor???

comment:10 Changed 21 months ago by mroystonward

One more addition to this now.

In Tor Browser with HTTPS Everywhere *enabled* on OSX only the radicallibrarianship.org certificate shows in the certficate viewer.

Same browser, same OS, same machine with HTTPS Everywhere *disabled* - full hierarchy showing in certificate inspector (DST Root > Lets Encrypt > radicallibrarianship.org).

comment:11 Changed 21 months ago by cypherpunks

I can't reproduce the behaviour you are describing when HTTPS Everywhere is disabled.

I still think this is a server config issue where the correct certificate is not consistently served.

comment:12 Changed 18 months ago by cypherpunks

Resolution: worksforme
Status: needs_informationclosed
Note: See TracTickets for help on using tickets.