Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Wednesday May 31 2017, @06:49AM   Printer-friendly
from the hiring-an-unpaid-intern-is-hard-work dept.

Bing.com OCSP certificate expires: how pathetic is that?

For over 8 hours now, when trying to access Bing.com, you'll get a warning about their OCSP certificate (message from Firefox):

An error occurred during a connection to www.bing.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT

How pathetic is that? I mean, companies such as Microsoft are so big; don't tell me they don't have the human & technical knowledge to manage their certificates. Even an intern could write some kind of tool to ensure a warning is sent beforehand!

It's embarrassing that something that simple (cert & domain expiration) is still a frequent problem, and for BIG tech companies too!

Palemoon: Hotmail, Live, Outlook and Bing connection errors, and our security.

Today, our users started seeing connectivity errors when trying to connect to most Microsoft on-line services like Hotmail, Onedrive, Outlook, Microsoft Live, and even the https version of the Bing search engine. The culprit? misconfigured servers on Microsoft's side, specifically their so-called "stapled OCSP responses".

Now, this gets technical rather quickly, so a quick summary of what this is all about:
[...]
What happened is that servers for the domains mentioned did not use the correct certificate chain to sign their stapled OCSP responses. As a result, connections to the related https servers started to fail. But, notably, only from browsers using NSS (like Pale Moon and Firefox). Chrome didn't complain (more on that later). Edge was apparently also fine, but I haven't looked into why that is, myself.

From a browser's point of view, this should be considered (very) bad, because it looks like some other party (not being the authority that issued the certificate) is trying to tell the browser that a certificate isn't revoked. This party could be an attacker that is trying to use a revoked (mis-issued) certificate, for example.

Now, considering all browsers can be expected to support stapled responses, this highlighted a rather disturbing security issue with mainstream browsers: Apparently, only Pale Moon and Firefox (and rebuilds) are doing the correct thing.

https://forum.palemoon.org/viewtopic.php?f=1&t=15823


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by KritonK on Wednesday May 31 2017, @07:49AM (8 children)

    by KritonK (465) on Wednesday May 31 2017, @07:49AM (#518170)

    I always trust Microsoft's SSL certificates. After all, they are signed by, um... Microsoft?!?!?

    Seriously, until I read this, I wasn't aware that there was a problem with Microsoft's sites, even though I am a Firefox user. Do people actually visit these sites?

    At least, they seem to have fixed the problem.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Insightful) by c0lo on Wednesday May 31 2017, @08:01AM (7 children)

    by c0lo (156) Subscriber Badge on Wednesday May 31 2017, @08:01AM (#518174) Journal

    I wasn't aware that there was a problem with Microsoft's sites... Do people actually visit these sites?

    Job requirements, so yes.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    • (Score: 2) by MostCynical on Wednesday May 31 2017, @08:55AM (6 children)

      by MostCynical (2589) on Wednesday May 31 2017, @08:55AM (#518185) Journal

      Your work requires you to use hotmail!?

      --
      "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
      • (Score: 2) by kaszz on Wednesday May 31 2017, @09:32AM (2 children)

        by kaszz (4211) on Wednesday May 31 2017, @09:32AM (#518191) Journal

        Outlook can probably be a job requirement. Bing maybe.

        • (Score: 2) by MostCynical on Wednesday May 31 2017, @10:00AM (1 child)

          by MostCynical (2589) on Wednesday May 31 2017, @10:00AM (#518195) Journal

          Okay, I was being facetious, but having to use Outlook365 may be worse.

          --
          "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
          • (Score: 2) by Gaaark on Wednesday May 31 2017, @10:11AM

            by Gaaark (41) on Wednesday May 31 2017, @10:11AM (#518197) Journal

            It is worse.

            --
            --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
      • (Score: 2) by c0lo on Wednesday May 31 2017, @10:29AM (2 children)

        by c0lo (156) Subscriber Badge on Wednesday May 31 2017, @10:29AM (#518201) Journal

        office365. In the same bucket.

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
        • (Score: 3, Funny) by MostCynical on Wednesday May 31 2017, @12:09PM (1 child)

          by MostCynical (2589) on Wednesday May 31 2017, @12:09PM (#518219) Journal

          why keep your company secrets within the company, when you can put them on googledocs or Office365!

          oh, then there is this story:
          "Macquarie Uni shifts from Gmail to Office 365 over privacy concerns ...
          Macquarie University will move its staff email accounts from Gmail to Office 365 over concerns about data sovereignty after Google moved the organisation's data into the US. The university's CIO Mary Davies told staff yesterday that the institution had been forced to look for an alternative..."
          http://www.itnews.com.au/news/macquarie-uni-shifts-from-gmail-to-office-365-over-privacy-concerns-409783 [itnews.com.au]

          frying pan/fire...
           

          --
          "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
          • (Score: 2) by c0lo on Wednesday May 31 2017, @03:40PM

            by c0lo (156) Subscriber Badge on Wednesday May 31 2017, @03:40PM (#518336) Journal

            frying pan/fire...

            Well, the parent company is already USian, so perhaps it doesn't make any difference to them, melting pot and all that (grin)

            --
            https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford