SoylentNews is people
SoylentNews
Bing.com OCSP certificate expires: how pathetic is that?
For over 8 hours now, when trying to access Bing.com, you'll get a warning about their OCSP certificate (message from Firefox):
An error occurred during a connection to www.bing.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT
How pathetic is that? I mean, companies such as Microsoft are so big; don't tell me they don't have the human & technical knowledge to manage their certificates. Even an intern could write some kind of tool to ensure a warning is sent beforehand!
It's embarrassing that something that simple (cert & domain expiration) is still a frequent problem, and for BIG tech companies too!
Palemoon: Hotmail, Live, Outlook and Bing connection errors, and our security.
Today, our users started seeing connectivity errors when trying to connect to most Microsoft on-line services like Hotmail, Onedrive, Outlook, Microsoft Live, and even the https version of the Bing search engine. The culprit? misconfigured servers on Microsoft's side, specifically their so-called "stapled OCSP responses".
Now, this gets technical rather quickly, so a quick summary of what this is all about:
[...]
What happened is that servers for the domains mentioned did not use the correct certificate chain to sign their stapled OCSP responses. As a result, connections to the related https servers started to fail. But, notably, only from browsers using NSS (like Pale Moon and Firefox). Chrome didn't complain (more on that later). Edge was apparently also fine, but I haven't looked into why that is, myself.From a browser's point of view, this should be considered (very) bad, because it looks like some other party (not being the authority that issued the certificate) is trying to tell the browser that a certificate isn't revoked. This party could be an attacker that is trying to use a revoked (mis-issued) certificate, for example.
Now, considering all browsers can be expected to support stapled responses, this highlighted a rather disturbing security issue with mainstream browsers: Apparently, only Pale Moon and Firefox (and rebuilds) are doing the correct thing.
https://forum.palemoon.org/viewtopic.php?f=1&t=15823
(Score: 1, Insightful) by Anonymous Coward on Wednesday May 31 2017, @02:13PM (2 children)
The problem is that it's not really simple. X.509 is completely ridiculous and almost nobody can get it right all the time. Then browsers dial any kind of certificate error up to 11 and make the problems worse.
When things go wrong you get "scary" warnings from the browsers. This itself is a problem, because almost every browser certificate warning is a false alarm (they show up when you are not actually being attacked). All the bad guys now configure their SSL correctly and have valid certificates anyway.
When almost every warning is a false alarm they are not helpful, quite the opposite. The simplest solution is that browsers should silently continue in the face of certificate errors. Indicate that the page is not fully authenticated on the UI (for example, browsers could show it the same as they do "regular" HTTP connections, with no lock icon or whatever).
(Score: 2) by bzipitidoo on Wednesday May 31 2017, @03:27PM
Yes! And, the whole idea of abruptly making a certificate invalid after a certain date is stupidly crude. Where is the graceful degradation of service?
Further, there is security fatigue. The policy of changing passwords every 30 days or 6 months, or some other short period of time, just in case, is a classic cause of security fatigue. Any security measure that requires effort has to be weighed against the threat it guards against, as well as the reductions in security it could cause.
A big reason to even use a fixed time period is if the security is weak enough that it can be broken by brute force in that period of time. But it is so easy to add a few more bits to the keys, and extend the time it takes to crack it with brute force by a factor of 1000 or more. Just like that, a 1 month window of safety can be extended to 100 years. If worried that Moore's Law could reduce that century to a decade, a few more bits will fix that.
I ran into this problem a couple of days ago. Had to use Hotmail, and Firefox threw up a security roadblock. I don't need that crap. If the cert was valid yesterday, and absent the occurrence of a known security breach yesterday, the odds are overwhelmingly in favor of it being valid today. So, I just used Chrome.
(Score: 2) by wonkey_monkey on Wednesday May 31 2017, @03:29PM
For a while I was getting errors because I dared to type hotmail.com instead of www.hotmail.com. No idea whose fault that was.
systemd is Roko's Basilisk