Comment 74 for bug 24061

The proposed workaround does not work if the connection is still being intercepted and returning invalid responses. It addresses point 2 of comment #70, but not the other four causes.

I suggest that a challenge-response mechanism could help to detect intercepting proxies and provide better feedback to the user. Any feedback on the idea would be appreciated.

When a BADSIG error occurs....
1. Send a random string to a specific Ubuntu Web service.
2. Calculate a hash of the same string.
3. Compare the server response to the calculated hash. If a non-error response is received without the hash occuring anywhere in the response, the connection has been intercepted.
4. If it has been determined that the connection is being intercepted, the user can be alerted of the potential reason for the BADSIG error. If using a gui tool, the user can be guided to determine if the problem is an authentication issue (by opening a page in a browser) and given the opportunity to cancel the update or confirm the cause of the problem and retry.
5. If the same, or very similar response is received in future, we can discard the response and abort and optionally remind the user of the previous cause of the problem.