Bing.com OCSP certificate expires: how pathetic is that?
For over 8 hours now, when trying to access Bing.com, you'll get a warning about their OCSP certificate (message from Firefox):
An error occurred during a connection to www.bing.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT
How pathetic is that? I mean, companies such as Microsoft are so big; don't tell me they don't have the human & technical knowledge to manage their certificates. Even an intern could write some kind of tool to ensure a warning is sent beforehand!
It's embarrassing that something that simple (cert & domain expiration) is still a frequent problem, and for BIG tech companies too!
Palemoon: Hotmail, Live, Outlook and Bing connection errors, and our security.
Today, our users started seeing connectivity errors when trying to connect to most Microsoft on-line services like Hotmail, Onedrive, Outlook, Microsoft Live, and even the https version of the Bing search engine. The culprit? misconfigured servers on Microsoft's side, specifically their so-called "stapled OCSP responses".
Now, this gets technical rather quickly, so a quick summary of what this is all about:
[...]
What happened is that servers for the domains mentioned did not use the correct certificate chain to sign their stapled OCSP responses. As a result, connections to the related https servers started to fail. But, notably, only from browsers using NSS (like Pale Moon and Firefox). Chrome didn't complain (more on that later). Edge was apparently also fine, but I haven't looked into why that is, myself.From a browser's point of view, this should be considered (very) bad, because it looks like some other party (not being the authority that issued the certificate) is trying to tell the browser that a certificate isn't revoked. This party could be an attacker that is trying to use a revoked (mis-issued) certificate, for example.
Now, considering all browsers can be expected to support stapled responses, this highlighted a rather disturbing security issue with mainstream browsers: Apparently, only Pale Moon and Firefox (and rebuilds) are doing the correct thing.
https://forum.palemoon.org/viewtopic.php?f=1&t=15823
(Score: -1, Troll) by Anonymous Coward on Wednesday May 31 2017, @07:01AM (5 children)
Bing doesn't require HTTPS. HTTP still works. Shocking, I know, right??
The top four are Google, Bing, Baidu, and Yahoo. Bing and Baidu still use HTTP.
HTTPS/SSL/TLS is overrated.
(Score: 0, Flamebait) by Anonymous Coward on Wednesday May 31 2017, @07:11AM
Chin€se Micro$oft shill begone.
(Score: 2) by Pino P on Wednesday May 31 2017, @01:25PM (3 children)
Without TLS, what prevents an attacker from installing Firesheep [wikipedia.org], copying your session cookie, and then sending spam as you from Outlook or from spending your Bing Rewards?
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @04:45PM (2 children)
1) I don't use Outlook or any other mailer with that much Windows integration.
2) I don't allow cookies (except in rare, necessary cases, and even then, maybe not)
3) I mostly use an older browser (Old Opera) which does not seem to run most of the modern code that includes risky functionality. Even when running Vivaldi I use many blockers and prevent most problematic behavior, ... although I recently discovered that a website can install hidden extensions without the user's knowledge. Very very troubling. Vivaldi is Chromium based. As usual they're adding bells, whistles, and functionality faster than safety.
... Recent article about recent ransomware not working on XP machines... sometimes older tech is safer- malware uses all the tricky new APIs...
(Score: 2) by tibman on Wednesday May 31 2017, @06:49PM
1) Zero windows required. The issue exists independent of OS.
2) You probably do allow session cookies. Those are basically one-time passwords. Without https, those session cookies can be "taken" and used to impersonate you.
3) That older browser that doesn't run "modern code"? It also doesn't run modern security patches. Here is a random link explaining how viewing a GIF can execute code in (old/unpatched) opera: https://tools.cisco.com/security/center/viewAlert.x?alertId=27682 [cisco.com]
SN won't survive on lurkers alone. Write comments.
(Score: 2) by Pino P on Wednesday May 31 2017, @08:43PM
What Windows integration? I use Outlook.com (formerly Hotmail) in Firefox on Xubuntu.
This almost sounds as if you prefer HTTP basic authentication (RFC 7617) to cookies. Without HTTPS, when you authenticate to a website with your username and password, an attacker can sniff them off the wire. In addition, cookies are the only clean way I know of to identify anonymous sessions, such as adding items to a shopping cart without first creating an account with a particular shop. Otherwise, there's no way to distinguish your cart from those of others without putting session IDs in URLs, which leaks the session ID if you share the URL of a product in the shop. If it's your first time on a given shop, would you prefer to have to create an account before adding items to your cart? Or do you consider online shopping itself "rare"?
(Score: 2) by bradley13 on Wednesday May 31 2017, @07:15AM (7 children)
This is beyond my knowledge - any experts out there who can comment?
Basically, as I understand it, the Firefox team is claiming that they are the only browser in the world to correctly refuse to connect, if the certificate's attached OCSP (certification that the certificate is not revoked) is incorrectly signed. They filed a bug report against Chrome, since they think Chrome should have done this as well.
The Chrome team's reply refers to discussions elsewhere, which refer to other discussions elsewhere, and it is never clear to me why they don't consider invalid OCSP signing to be a problem. Can anyone shed light on this?
Edge also has no problem with the bad signatures, but the Firefox folks don't seemed to have filed a bug against Edge.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @07:49AM
Relevance vs Irrelevance.
Security doesn't sell to the mainstream. And anybody who has been paying attention laughs at Mozilla claiming they are concerned with security (their security is sometimes better than their competitors, but they've been bolting crap on without concern for security for 2 decades now, and that is just since they went open source...)
(Score: 3, Informative) by rigrig on Wednesday May 31 2017, @09:28AM (3 children)
Chrome tries to use the stapled OCSP reponse. If that fails, it falls back to fetching a regular response through the network. (And if that fails, it ignores it)
I think this makes sense: as long as X.509v3 Extension: OCSP Stapling Required [ietf.org] isn't implemented, an attacker would choose to simply not send a stapled OCSP response, in which case the browser would fall-back to fetching it from the network (and soft-failing on failure) anyway.
No one remembers the singer.
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @12:31PM (2 children)
I don't think it makes sense. Isn't it just returning the page no matter what:
(Score: 2) by LoRdTAW on Wednesday May 31 2017, @12:42PM (1 child)
They simply optimized the hell out of it:
return(page)
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 31 2017, @02:26PM
This makes me wonder how much recent improvements on browser speed benchmarks is due to convoluted ways of making the browser less secure.
(Score: 2) by tibman on Wednesday May 31 2017, @07:01PM
When it comes to certs, Firefox seems to be the only one that cares. Companies that want to MitM you have an easier time with Chrome and windows because they can push self-signed certs as root certs to every machine on the domain. Firefox uses it's own cert store that is at the user level.
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Thursday June 01 2017, @12:35AM
Are all of those American companies? When I first saw this on Yahoo, I thought it was a Yahoo thing, due to their acquisition. With more companies involved, specifically US companies and crypto, my gut said that this is somehow related to a three-letter agency's interference. Would not be at all surprised to find a "second-tier" of security sponsored by three-letter, or for use in data harvesting.
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @07:33AM (7 children)
Very.
(Score: 2) by c0lo on Wednesday May 31 2017, @07:35AM (6 children)
Fortunately, it wasn't an endless tragedy.
It seems to work fine now.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @07:40AM (5 children)
M$ i$ $hit ha ha ha
M$ i$ $hit ha ha ha
M$ i$ $hit ha ha ha
(Score: 2) by c0lo on Wednesday May 31 2017, @08:03AM (1 child)
Now, that's what I call an endless tragedy. But one learns to live with it.
(grow up, will ye?)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @08:32AM
I don't wanna grow up, I'm a Trolls "R" Us kid
There are a million sites on the web where I can post shit
I don't wanna grow up, cause maybe if I did
I couldn't be a Trolls "R" Us kid
(Score: 2) by kaszz on Wednesday May 31 2017, @09:36AM
Once I got an hot-mail into my Out-look inbox which didn't look out for bad code and so Bing! it all got p0wn3d to prove there really was no security not in the browser and certainly nowhere else, just profits for someone else.
Microsoft can't get their certificates right hohohohohohohohohohohohoho :p
Is this one of those errors "Press F1 if you forgot the password to login anyway" ? ;)
Systems are supposed to be user friendly right?
(Score: 1, Funny) by Anonymous Coward on Wednesday May 31 2017, @10:39AM (1 child)
Please don't intermix Microsoft BASIC string variables and PHP variables. It hurts the eyes.
(Score: 2) by DeathMonkey on Wednesday May 31 2017, @05:45PM
Oh crap, don't cross the strings!
It would be bad.
(Score: 2) by KritonK on Wednesday May 31 2017, @07:49AM (8 children)
I always trust Microsoft's SSL certificates. After all, they are signed by, um... Microsoft?!?!?
Seriously, until I read this, I wasn't aware that there was a problem with Microsoft's sites, even though I am a Firefox user. Do people actually visit these sites?
At least, they seem to have fixed the problem.
(Score: 3, Insightful) by c0lo on Wednesday May 31 2017, @08:01AM (7 children)
I wasn't aware that there was a problem with Microsoft's sites... Do people actually visit these sites?
Job requirements, so yes.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by MostCynical on Wednesday May 31 2017, @08:55AM (6 children)
Your work requires you to use hotmail!?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by kaszz on Wednesday May 31 2017, @09:32AM (2 children)
Outlook can probably be a job requirement. Bing maybe.
(Score: 2) by MostCynical on Wednesday May 31 2017, @10:00AM (1 child)
Okay, I was being facetious, but having to use Outlook365 may be worse.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by Gaaark on Wednesday May 31 2017, @10:11AM
It is worse.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by c0lo on Wednesday May 31 2017, @10:29AM (2 children)
office365. In the same bucket.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Funny) by MostCynical on Wednesday May 31 2017, @12:09PM (1 child)
why keep your company secrets within the company, when you can put them on googledocs or Office365!
oh, then there is this story:
"Macquarie Uni shifts from Gmail to Office 365 over privacy concerns ...
Macquarie University will move its staff email accounts from Gmail to Office 365 over concerns about data sovereignty after Google moved the organisation's data into the US. The university's CIO Mary Davies told staff yesterday that the institution had been forced to look for an alternative..."
http://www.itnews.com.au/news/macquarie-uni-shifts-from-gmail-to-office-365-over-privacy-concerns-409783 [itnews.com.au]
frying pan/fire...
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by c0lo on Wednesday May 31 2017, @03:40PM
Well, the parent company is already USian, so perhaps it doesn't make any difference to them, melting pot and all that (grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @01:10PM
Did anybody actually think that only pertained to *WINDOWS*-build testers? Rail whatever strapped together crap you have right into production, testing is for sissies anyway!
(Score: 1, Insightful) by Anonymous Coward on Wednesday May 31 2017, @02:13PM (2 children)
The problem is that it's not really simple. X.509 is completely ridiculous and almost nobody can get it right all the time. Then browsers dial any kind of certificate error up to 11 and make the problems worse.
When things go wrong you get "scary" warnings from the browsers. This itself is a problem, because almost every browser certificate warning is a false alarm (they show up when you are not actually being attacked). All the bad guys now configure their SSL correctly and have valid certificates anyway.
When almost every warning is a false alarm they are not helpful, quite the opposite. The simplest solution is that browsers should silently continue in the face of certificate errors. Indicate that the page is not fully authenticated on the UI (for example, browsers could show it the same as they do "regular" HTTP connections, with no lock icon or whatever).
(Score: 2) by bzipitidoo on Wednesday May 31 2017, @03:27PM
Yes! And, the whole idea of abruptly making a certificate invalid after a certain date is stupidly crude. Where is the graceful degradation of service?
Further, there is security fatigue. The policy of changing passwords every 30 days or 6 months, or some other short period of time, just in case, is a classic cause of security fatigue. Any security measure that requires effort has to be weighed against the threat it guards against, as well as the reductions in security it could cause.
A big reason to even use a fixed time period is if the security is weak enough that it can be broken by brute force in that period of time. But it is so easy to add a few more bits to the keys, and extend the time it takes to crack it with brute force by a factor of 1000 or more. Just like that, a 1 month window of safety can be extended to 100 years. If worried that Moore's Law could reduce that century to a decade, a few more bits will fix that.
I ran into this problem a couple of days ago. Had to use Hotmail, and Firefox threw up a security roadblock. I don't need that crap. If the cert was valid yesterday, and absent the occurrence of a known security breach yesterday, the odds are overwhelmingly in favor of it being valid today. So, I just used Chrome.
(Score: 2) by wonkey_monkey on Wednesday May 31 2017, @03:29PM
For a while I was getting errors because I dared to type hotmail.com instead of www.hotmail.com. No idea whose fault that was.
systemd is Roko's Basilisk
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @04:13PM (1 child)
Yes it is stupid that someone are MS did not calendar maintenance.
But the browser actions are worst I daily hav to keep going to "bad" sites because of browsers report all self signed keys as bad. Yup that include all printers on your local network. Firewalls (private) I am surprised that they do not work as well as ssh in warn once AND REMBER what action to take. Instead 4 to 6 more clicks and looking for the special "hidden" option to go on really guys?!
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @05:04PM
Firefox's shrill hissy fit over seeing self-signed certificates is indeed certifiable.
Try Skip Cert Error [mozilla.org] for saner behavior, though it's still recommended to keep notifications active so you know that "something was unusual" with the certificate.
Since HTTPS is effectively broken as governments can demand valid signed keys from Certificate Authorities, actual solutions to the problem are mentioned at youbroketheinternet.org - many of the solutions are still being developed.
(Score: 2) by DannyB on Wednesday May 31 2017, @04:44PM (1 child)
There was a story once where the Microsoft.com domain name expired, and some kind soul purchased it and turned it over to Microsoft. It was a long time ago. I cannot find anything about this on Google or Duck Duck Go.
A bit unrelated, but I was surprised that SSLLabs [ssllabs.com] only gives bing.com an A. But soylentnews.org an A+. It takes some learning to configure a site to get an A, let alone an A+.
What doesn't kill me makes me weaker for next time.
(Score: 1, Informative) by Anonymous Coward on Wednesday May 31 2017, @04:54PM
Sure, the ssl part is great, but run this very page through validator.w3.org http://validator.w3.org/check?uri=https://soylentnews.org/article.pl?sid=17/05/30/206236&threshold=0&highlightthresh=0&commentsort=0&mode=threadtos&noupdate=1#comment_518367&charset=(detect+automatically)&doctype=Inline&group=0/ [w3.org]
I got 426 errors, 58 warnings, and that's just html syntax.
(Score: 1, Insightful) by Anonymous Coward on Wednesday May 31 2017, @04:50PM
Using Bing, Hotmail, Live, Outlook, etc., seems a bit pathetic, so,...
(Score: 2) by jmorris on Wednesday May 31 2017, @07:03PM
Microsoft is stupid for not having a system in place to handle routine expiration of dated certs.
Firefox is also stupid for throwing a warning over some bullcrap 'stapling' thing that few use in this case. It should be caching server certs and keys and if it is seeing the same cert it has seen for months/years and it, or some related stapled 'extra super secret crypto' attached, expires it should at worst throw a minor non scary warning and make continue the default and recommended choice.
Yea, I see all that stapling crap in Apache's config. I leave it all carefully commented out. Why? Every extra layer of crypto crap you add beyond that needed to get browsers to stop bitching is another thing that can go wrong and thus makes a site less reliable. As Microsoft just discovered.
Mozilla should do the same for self signed certs. The first time you visit one it should simply say "This site did not buy a certificate from a signing authority so we can't verify that the entity displayed is actually the one who sent you this page. If your connection RIGHT NOW isn't compromised it is perfectly safe to click "remember and continue on" and you will only receive future warnings if it changes." Because that is the bottom line, all this elaborate certificate infrastructure does is make that first connection a little more reliable.
(Score: 0) by Anonymous Coward on Thursday June 01 2017, @05:13AM
No sense spending any resources there...