For over 8 hours now, when trying to access Bing.com, you'll get a warning about their OCSP certificate (message from Firefox):
An error occurred during a connection to www.bing.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT
How pathetic is that? I mean, companies such as Microsoft are so big; don't tell me they don't have the human & technical knowledge to manage their certificates. Even an intern could write some kind of tool to ensure a warning is sent beforehand!
It's embarrassing that something that simple (cert & domain expiration) is still a frequent problem, and for BIG tech companies too!
Today, our users started seeing connectivity errors when trying to connect to most Microsoft on-line services like Hotmail, Onedrive, Outlook, Microsoft Live, and even the https version of the Bing search engine. The culprit? misconfigured servers on Microsoft's side, specifically their so-called "stapled OCSP responses".
Now, this gets technical rather quickly, so a quick summary of what this is all about:
[...]
What happened is that servers for the domains mentioned did not use the correct certificate chain to sign their stapled OCSP responses. As a result, connections to the related https servers started to fail. But, notably, only from browsers using NSS (like Pale Moon and Firefox). Chrome didn't complain (more on that later). Edge was apparently also fine, but I haven't looked into why that is, myself.From a browser's point of view, this should be considered (very) bad, because it looks like some other party (not being the authority that issued the certificate) is trying to tell the browser that a certificate isn't revoked. This party could be an attacker that is trying to use a revoked (mis-issued) certificate, for example.
Now, considering all browsers can be expected to support stapled responses, this highlighted a rather disturbing security issue with mainstream browsers: Apparently, only Pale Moon and Firefox (and rebuilds) are doing the correct thing.
https://forum.palemoon.org/viewtopic.php?f=1&t=15823
(Score: 2) by jmorris on Wednesday May 31 2017, @07:03PM
Microsoft is stupid for not having a system in place to handle routine expiration of dated certs.
Firefox is also stupid for throwing a warning over some bullcrap 'stapling' thing that few use in this case. It should be caching server certs and keys and if it is seeing the same cert it has seen for months/years and it, or some related stapled 'extra super secret crypto' attached, expires it should at worst throw a minor non scary warning and make continue the default and recommended choice.
Yea, I see all that stapling crap in Apache's config. I leave it all carefully commented out. Why? Every extra layer of crypto crap you add beyond that needed to get browsers to stop bitching is another thing that can go wrong and thus makes a site less reliable. As Microsoft just discovered.
Mozilla should do the same for self signed certs. The first time you visit one it should simply say "This site did not buy a certificate from a signing authority so we can't verify that the entity displayed is actually the one who sent you this page. If your connection RIGHT NOW isn't compromised it is perfectly safe to click "remember and continue on" and you will only receive future warnings if it changes." Because that is the bottom line, all this elaborate certificate infrastructure does is make that first connection a little more reliable.