SoylentNews is people
SoylentNews
Bing.com OCSP certificate expires: how pathetic is that?
For over 8 hours now, when trying to access Bing.com, you'll get a warning about their OCSP certificate (message from Firefox):
An error occurred during a connection to www.bing.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT
How pathetic is that? I mean, companies such as Microsoft are so big; don't tell me they don't have the human & technical knowledge to manage their certificates. Even an intern could write some kind of tool to ensure a warning is sent beforehand!
It's embarrassing that something that simple (cert & domain expiration) is still a frequent problem, and for BIG tech companies too!
Palemoon: Hotmail, Live, Outlook and Bing connection errors, and our security.
Today, our users started seeing connectivity errors when trying to connect to most Microsoft on-line services like Hotmail, Onedrive, Outlook, Microsoft Live, and even the https version of the Bing search engine. The culprit? misconfigured servers on Microsoft's side, specifically their so-called "stapled OCSP responses".
Now, this gets technical rather quickly, so a quick summary of what this is all about:
[...]
What happened is that servers for the domains mentioned did not use the correct certificate chain to sign their stapled OCSP responses. As a result, connections to the related https servers started to fail. But, notably, only from browsers using NSS (like Pale Moon and Firefox). Chrome didn't complain (more on that later). Edge was apparently also fine, but I haven't looked into why that is, myself.From a browser's point of view, this should be considered (very) bad, because it looks like some other party (not being the authority that issued the certificate) is trying to tell the browser that a certificate isn't revoked. This party could be an attacker that is trying to use a revoked (mis-issued) certificate, for example.
Now, considering all browsers can be expected to support stapled responses, this highlighted a rather disturbing security issue with mainstream browsers: Apparently, only Pale Moon and Firefox (and rebuilds) are doing the correct thing.
https://forum.palemoon.org/viewtopic.php?f=1&t=15823
(Score: 2) by bradley13 on Wednesday May 31 2017, @07:15AM (7 children)
This is beyond my knowledge - any experts out there who can comment?
Basically, as I understand it, the Firefox team is claiming that they are the only browser in the world to correctly refuse to connect, if the certificate's attached OCSP (certification that the certificate is not revoked) is incorrectly signed. They filed a bug report against Chrome, since they think Chrome should have done this as well.
The Chrome team's reply refers to discussions elsewhere, which refer to other discussions elsewhere, and it is never clear to me why they don't consider invalid OCSP signing to be a problem. Can anyone shed light on this?
Edge also has no problem with the bad signatures, but the Firefox folks don't seemed to have filed a bug against Edge.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @07:49AM
Relevance vs Irrelevance.
Security doesn't sell to the mainstream. And anybody who has been paying attention laughs at Mozilla claiming they are concerned with security (their security is sometimes better than their competitors, but they've been bolting crap on without concern for security for 2 decades now, and that is just since they went open source...)
(Score: 3, Informative) by rigrig on Wednesday May 31 2017, @09:28AM (3 children)
Chrome tries to use the stapled OCSP reponse. If that fails, it falls back to fetching a regular response through the network. (And if that fails, it ignores it)
I think this makes sense: as long as X.509v3 Extension: OCSP Stapling Required [ietf.org] isn't implemented, an attacker would choose to simply not send a stapled OCSP response, in which case the browser would fall-back to fetching it from the network (and soft-failing on failure) anyway.
No one remembers the singer.
(Score: 0) by Anonymous Coward on Wednesday May 31 2017, @12:31PM (2 children)
I don't think it makes sense. Isn't it just returning the page no matter what:
(Score: 2) by LoRdTAW on Wednesday May 31 2017, @12:42PM (1 child)
They simply optimized the hell out of it:
return(page)
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 31 2017, @02:26PM
This makes me wonder how much recent improvements on browser speed benchmarks is due to convoluted ways of making the browser less secure.
(Score: 2) by tibman on Wednesday May 31 2017, @07:01PM
When it comes to certs, Firefox seems to be the only one that cares. Companies that want to MitM you have an easier time with Chrome and windows because they can push self-signed certs as root certs to every machine on the domain. Firefox uses it's own cert store that is at the user level.
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Thursday June 01 2017, @12:35AM
Are all of those American companies? When I first saw this on Yahoo, I thought it was a Yahoo thing, due to their acquisition. With more companies involved, specifically US companies and crypto, my gut said that this is somehow related to a three-letter agency's interference. Would not be at all surprised to find a "second-tier" of security sponsored by three-letter, or for use in data harvesting.