[outages] Twitter: mixed-mode security?

Jeremy Chadwick jdc at koitsu.org
Thu Jul 4 00:00:40 EDT 2013 

On Wed, Jul 03, 2013 at 08:34:55PM -0700, Damian Menscher wrote:
> On Wed, Jul 3, 2013 at 8:21 PM, Jay Ashworth <jra at baylink.com> wrote:
> 
> > ----- Original Message -----
> > > From: "Jeremy Chadwick" <jdc at koitsu.org>
> >
> > > I know exactly what you mean when you say "mixed-mode security" (for
> > > readers: accessing a site using HTTPS, but the URLs referenced within
> > > that site (for things like CSS, images, etc.) might use HTTP).
> > >
> > > But what I don't know is where you've seen this. As in a step-by-step
> > > for where you commonly see it. Even if it varies, just make an itemised
> > > list of steps (from the point you hit http://twitter.com/ to wherever
> > > you see the issue) where you commonly see it.
> >
> > Generally, anywhere I go on twitter's site (since it's AJAX now, there
> > really isn't anywhere you "go"), it's https and it's not crossed out,
> > as Chrome does to indicate mixed-mode.
> >
> > As of tonight, I'm getting the "crossed-out https" indicator everywhere,
> > even after a cache purge and a Ctrl-F5 reload.
> 
> 
> This explains the meaning of the crossed-out https indicator:
> https://support.google.com/chrome/answer/95617?p=ui_security_indicator&rd=1

Interesting.  From Jay's description (and my lack of familiarity with
Chrome), I assumed what he was describing was what the above doc
classified as the "warning" indicator ("The site uses SSL but Chrome has
detected insecure content on the page").

The "crossed-out https" thing is defined vaguely/ambiguously (how
convenient), but looks to be focused on either expired or incorrectly
configured certs, or "mysteriously malevolent stuff".  The latter made
me laugh because, hey, let's not be specific at all, nobody needs to
know.....

I've taken a look at the certs I get back (there's 3 involved;
Verisign's primary CA, Verisign's extended validation CA, and the one
for twitter.com) and I don't really see anything wrong with any of them.
I verified the CN/CommonName looks correct (twitter.com), and that the
validity range (e.g. expiry, before/after) are legit.

I can dump them if need be, just let me know.

-- 
| Jeremy Chadwick                                   jdc at koitsu.org |
| UNIX Systems Administrator                http://jdc.koitsu.org/ |
| Making life hard for others since 1977.             PGP 4BD6C0CB |

More information about the Outages mailing list