Bug: HTTPS session is fragile

When you're logged in using https://, if you click an http:// link, your login session is invalidated.

This isn't just "you have to log in again to use HTTP", but "your HTTPS login session is trashed also". As many links in signatures and the like have http:// hardcoded into them, this is problematic, to say the least. (It would be nice to promote these to https:// when under https anyway, though.)

 

Merely redirecting wouldn't quite suffice; the initial URL request would still be transmitted over HTTP.

 

Can these at least be https when you're already on an https page?

 

Hmm, with my dorm connection I got OCSP error, but with Campus there's no error.

The cert is signed by StartCom Ltd.

 

Almost as well as "Ask your system administrator". As if talking to myself would help...

 

Yeah, confirmed. I got OCSP error on dorm, but no error on campus. Maybe it is a matter of old HTTPS certificate? Hmm, gonna try deleting it and try again.

EDIT: I still got the same error when I delete QQ's old certificate.

 

For me, only the 'Home' button on the top bar and the QQ logo actually seem to use HTTPS, and when I click on those I get the error.
Everywhere else I click I get Forum.Questionablequesting.com

 

*shrugs*
As long as a complete switchover fixes the whole set of problems, I'd be fine with it.
The moment an attempt to improve something makes things worse, I'll become a reactionary trying to bring back the days where everything was insecure, but did what it said it would without you having to make concessions to it.

 

Curious. HTTPS now works on dorm connection, too. Not sure why. The only change I remember is deleting QQ old certificate, but there's no immediate effect for doing that...

 

Different browsers? Or different security settings on the same browser?

Huh. Seems to be working for me now, too. ... I guess 'try again later' really was the solution~

 

Nah, I don't change browser. I do need to login with my Student ID*, but it is otherwise identical.

*well, it is technicallly some other poor smuck's Student ID, not mine. But still!

 

Yyyyeah, I got OCSP error again.

 

TL;DR: Server admins, disable OCSP stapling in the server software. End-users, disable OCSP stapling in your browser. The full explanation goes like this:

OCSP Error Code 3: Try Again Later. The most annoying OCSP error to ever exist.

Some background information: The OCSP protocol is used to check whether or not a certificate has been revoked. This is done in real time - whenever your browser makes a secure connection to a website, it also connects to an OCSP responder server to check the current validity of a certificate. The OCSP server then returns a response (the certificate is/is not valid) or an error code (something went wrong).

These servers are run by the Certificate Authority that issued the certificate. As you can imagine, they get a lot of requests. OCSP servers are notoriously unreliable - they go down all the time just due to the sheer load they have to deal with. tryLater, or "sec_error_ocsp_try_server_later" means that the OCSP server is overloaded and can't be contacted at the moment. This is such a common problem that browsers will ususally just ignore this error.

"OCSP Stapling" was designed to fix this problem. Instead of every user asking the OCSP server if a certificate is valid, the website contacts the OCSP server. Then, it stores the OCSP response in a cache, and presents the (digitally signed) cached response to every client that tries to connect to the website. The OCSP response is "stapled" to the SSL certificate that QQ presents. This reduces the load on the OCSP server massively.

Unfortunately, QQ is not stapling an OCSP response (your certificate is valid/invalid). Instead, QQ is stapling an OCSP error code (try again later). So when QQ asks the OCSP server "Hey, has my certificate been revoked?", the OCSP server's response is "Gah! I'm way too busy right now, ask me again later!" QQ then says "Hmm, okay." and stores that "try again later" error code in its cache. QQ then naively presents the error code to the user as though it were a valid OCSP response. This, naturally, trips up the user's browser and causes an error to appear.

This seems like a bug - either the QQ server shouldn't store and staple an error code, or browsers should ignore the error code if it's stapled to a certificate. Browsers already ignore the "try again later" error code if it's received from the OCSP server directly.

End-user workaround: In Firefox, go to about:config, and temporarily set security.ssl.enable_ocsp_stapling to false. I don't know how to do something similar in other browsers.

Caveat: I think this is how it works, but I may not fully understand the protocol or the situation. I am not a systems/networking engineer. Or any kind of engineer, for that matter.

References:

https://tools.ietf.org/html/rfc6960#section-2.3
https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
https://en.wikipedia.org/wiki/OCSP_Stapling

 

Seems to be fixed, thanks!

 

Post-server-move, this is no longer true.

Also, the QQ 'Home' links (those pointed out by NuitTombee above) are to a bare IP address.