SoylentNews is people
SoylentNews
Bing.com OCSP certificate expires: how pathetic is that?
For over 8 hours now, when trying to access Bing.com, you'll get a warning about their OCSP certificate (message from Firefox):
An error occurred during a connection to www.bing.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT
How pathetic is that? I mean, companies such as Microsoft are so big; don't tell me they don't have the human & technical knowledge to manage their certificates. Even an intern could write some kind of tool to ensure a warning is sent beforehand!
It's embarrassing that something that simple (cert & domain expiration) is still a frequent problem, and for BIG tech companies too!
Palemoon: Hotmail, Live, Outlook and Bing connection errors, and our security.
Today, our users started seeing connectivity errors when trying to connect to most Microsoft on-line services like Hotmail, Onedrive, Outlook, Microsoft Live, and even the https version of the Bing search engine. The culprit? misconfigured servers on Microsoft's side, specifically their so-called "stapled OCSP responses".
Now, this gets technical rather quickly, so a quick summary of what this is all about:
[...]
What happened is that servers for the domains mentioned did not use the correct certificate chain to sign their stapled OCSP responses. As a result, connections to the related https servers started to fail. But, notably, only from browsers using NSS (like Pale Moon and Firefox). Chrome didn't complain (more on that later). Edge was apparently also fine, but I haven't looked into why that is, myself.From a browser's point of view, this should be considered (very) bad, because it looks like some other party (not being the authority that issued the certificate) is trying to tell the browser that a certificate isn't revoked. This party could be an attacker that is trying to use a revoked (mis-issued) certificate, for example.
Now, considering all browsers can be expected to support stapled responses, this highlighted a rather disturbing security issue with mainstream browsers: Apparently, only Pale Moon and Firefox (and rebuilds) are doing the correct thing.
https://forum.palemoon.org/viewtopic.php?f=1&t=15823
(Score: -1, Troll) by Anonymous Coward on Wednesday May 31 2017, @07:01AM (5 children)
Bing doesn't require HTTPS. HTTP still works. Shocking, I know, right??
The top four are Google, Bing, Baidu, and Yahoo. Bing and Baidu still use HTTP.
HTTPS/SSL/TLS is overrated.
(Score: 0, Flamebait) by Anonymous Coward on Wednesday May 31 2017, @07:11AM
Chin€se Micro$oft shill begone.
(Score: 2) by Pino P on Wednesday May 31 2017, @01:25PM (3 children)
Without TLS, what prevents an attacker from installing Firesheep [wikipedia.org], copying your session cookie, and then sending spam as you from Outlook or from spending your Bing Rewards?
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @04:45PM (2 children)
1) I don't use Outlook or any other mailer with that much Windows integration.
2) I don't allow cookies (except in rare, necessary cases, and even then, maybe not)
3) I mostly use an older browser (Old Opera) which does not seem to run most of the modern code that includes risky functionality. Even when running Vivaldi I use many blockers and prevent most problematic behavior, ... although I recently discovered that a website can install hidden extensions without the user's knowledge. Very very troubling. Vivaldi is Chromium based. As usual they're adding bells, whistles, and functionality faster than safety.
... Recent article about recent ransomware not working on XP machines... sometimes older tech is safer- malware uses all the tricky new APIs...
(Score: 2) by tibman on Wednesday May 31 2017, @06:49PM
1) Zero windows required. The issue exists independent of OS.
2) You probably do allow session cookies. Those are basically one-time passwords. Without https, those session cookies can be "taken" and used to impersonate you.
3) That older browser that doesn't run "modern code"? It also doesn't run modern security patches. Here is a random link explaining how viewing a GIF can execute code in (old/unpatched) opera: https://tools.cisco.com/security/center/viewAlert.x?alertId=27682 [cisco.com]
SN won't survive on lurkers alone. Write comments.
(Score: 2) by Pino P on Wednesday May 31 2017, @08:43PM
What Windows integration? I use Outlook.com (formerly Hotmail) in Firefox on Xubuntu.
This almost sounds as if you prefer HTTP basic authentication (RFC 7617) to cookies. Without HTTPS, when you authenticate to a website with your username and password, an attacker can sniff them off the wire. In addition, cookies are the only clean way I know of to identify anonymous sessions, such as adding items to a shopping cart without first creating an account with a particular shop. Otherwise, there's no way to distinguish your cart from those of others without putting session IDs in URLs, which leaks the session ID if you share the URL of a product in the shop. If it's your first time on a given shop, would you prefer to have to create an account before adding items to your cart? Or do you consider online shopping itself "rare"?