*Wikipedia* is blocked?? (10-13-2016, 10:39 AM EST)

[Jim Witte]

Sorry about the language, but I'm understandably pissed.  FFS, *Wikipedia* of all things is blocked because of some HTTPS configuration error they made ("unusual and incorrect credentials" whatever that means)?  More to the point, demanding security when (sending) data is reasonable.  But accesses to WP rarely ever do this (certainly if you're just *reading*, not editing or logging in)  But I suppose having the articles you read flow unencrypted over the Internet pipes might allow the NSA/CIA/GCHQ/Russians to let you know that you're reading about..  "Butterflies"?  Oh yes, that is certainly indication that you're a terrorist threat and/or criminal.

At least some Google forums right now must be getting a few hundred thousand reports of this "privacy feature"  Time to fire up Firefox.

Jim

[Matthew Menke]

Note that every request includes cookies and any other locally stored site data, which in many cases can let someone impersonate you.  If you were visiting amazon, for instance, they could buy things in your name without you entering any data into a form in that browsing session.

[Mattias Nissler]

It'd be helpful you please elaborate on the exact error you're seeing? Platform? Chrome version?

FWIW, I can load https://www.wikipedia.org/ just fine on Chrome Linux 54.0.2840.59.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

[Reilly Grant]

This is what happened: http://www.theregister.co.uk/2016/10/13/globalsigned_off/

[Mike Frysinger]

if that's what the op is referring to, then Chrome is WAI, and changing that behavior is a bad idea.

thanks for the link.

-mike

[Matt Giuca]

If that is the problem then it is indeed working as intended (Chrome's job is to check certificates and warn you if there is a problem, not make value judgements about reading versus editing).

To respond a bit to the specific claims by the original email:

On Fri, 14 Oct 2016 at 01:42 Jim Witte <jim....@gmail.com> wrote:

Sorry about the language, but I'm understandably pissed.  FFS, *Wikipedia* of all things is blocked because of some HTTPS configuration error they made ("unusual and incorrect credentials" whatever that means)?  More to the point, demanding security when (sending) data is reasonable.  But accesses to WP rarely ever do this (certainly if you're just *reading*, not editing or logging in)  But I suppose having the articles you read flow unencrypted over the Internet pipes might allow the NSA/CIA/GCHQ/Russians to let you know that you're reading about..  "Butterflies"?  Oh yes, that is certainly indication that you're a terrorist threat and/or criminal.

When you go to https://en.wikipedia.org/wiki/Butterfly, you *are* sending data to the Wikipedia server, specifically you are sending the path part "/wiki/Butterfly" to the server inside the encrypted tunnel, so that the server knows which page to send to your browser. It is a fundamental principle of the HTTPS protocol that someone watching your traffic should not be able to tell that you visited "/wiki/Butterfly" (even if they can tell which site you are connected to).

It may seem benign if you're reading about butterflies, but in general, it is just as important to stop eavesdroppers from knowing what you're reading about, as it is to stop them from getting your passwords etc. And either way, we (as a browser) have no way of telling the difference between what page you are requesting, and what data you are sending (since personal data can be sent encoded within the URL itself).

It is absolutely correct for a browser to block read access over HTTPS if there is something wrong with the site's SSL certificate.

 

At least some Google forums right now must be getting a few hundred thousand reports of this "privacy feature"  Time to fire up Firefox.

Jim

--