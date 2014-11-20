from the hiring-an-unpaid-intern-is-hard-work dept.
Bing.com OCSP certificate expires: how pathetic is that?
For over 8 hours now, when trying to access Bing.com, you'll get a warning about their OCSP certificate (message from Firefox):
An error occurred during a connection to www.bing.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT
How pathetic is that? I mean, companies such as Microsoft are so big; don't tell me they don't have the human & technical knowledge to manage their certificates. Even an intern could write some kind of tool to ensure a warning is sent beforehand!
It's embarrassing that something that simple (cert & domain expiration) is still a frequent problem, and for BIG tech companies too!
Palemoon: Hotmail, Live, Outlook and Bing connection errors, and our security.
Today, our users started seeing connectivity errors when trying to connect to most Microsoft on-line services like Hotmail, Onedrive, Outlook, Microsoft Live, and even the https version of the Bing search engine. The culprit? misconfigured servers on Microsoft's side, specifically their so-called "stapled OCSP responses".
Now, this gets technical rather quickly, so a quick summary of what this is all about:
[...]
What happened is that servers for the domains mentioned did not use the correct certificate chain to sign their stapled OCSP responses. As a result, connections to the related https servers started to fail. But, notably, only from browsers using NSS (like Pale Moon and Firefox). Chrome didn't complain (more on that later). Edge was apparently also fine, but I haven't looked into why that is, myself.
From a browser's point of view, this should be considered (very) bad, because it looks like some other party (not being the authority that issued the certificate) is trying to tell the browser that a certificate isn't revoked. This party could be an attacker that is trying to use a revoked (mis-issued) certificate, for example.
Now, considering all browsers can be expected to support stapled responses, this highlighted a rather disturbing security issue with mainstream browsers: Apparently, only Pale Moon and Firefox (and rebuilds) are doing the correct thing.
https://forum.palemoon.org/viewtopic.php?f=1&t=15823
(Score: 0) by Anonymous Coward on Wednesday May 31, @07:01AM (1 child)
Bing doesn't require HTTPS. HTTP still works. Shocking, I know, right??
The top four are Google, Bing, Baidu, and Yahoo. Bing and Baidu still use HTTP.
HTTPS/SSL/TLS is overrated.
(Score: 0) by Anonymous Coward on Wednesday May 31, @07:11AM
Chin€se Micro$oft shill begone.
(Score: 2) by bradley13 on Wednesday May 31, @07:15AM (1 child)
This is beyond my knowledge - any experts out there who can comment?
Basically, as I understand it, the Firefox team is claiming that they are the only browser in the world to correctly refuse to connect, if the certificate's attached OCSP (certification that the certificate is not revoked) is incorrectly signed. They filed a bug report against Chrome, since they think Chrome should have done this as well.
The Chrome team's reply refers to discussions elsewhere, which refer to other discussions elsewhere, and it is never clear to me why they don't consider invalid OCSP signing to be a problem. Can anyone shed light on this?
Edge also has no problem with the bad signatures, but the Firefox folks don't seemed to have filed a bug against Edge.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Wednesday May 31, @07:49AM
Relevance vs Irrelevance.
Security doesn't sell to the mainstream. And anybody who has been paying attention laughs at Mozilla claiming they are concerned with security (their security is sometimes better than their competitors, but they've been bolting crap on without concern for security for 2 decades now, and that is just since they went open source...)
(Score: 0) by Anonymous Coward on Wednesday May 31, @07:33AM (2 children)
Very.
(Score: 2) by c0lo on Wednesday May 31, @07:35AM (1 child)
Fortunately, it wasn't an endless tragedy.
It seems to work fine now.
(Score: 0) by Anonymous Coward on Wednesday May 31, @07:40AM
(Score: 2) by KritonK on Wednesday May 31, @07:49AM
I always trust Microsoft's SSL certificates. After all, they are signed by, um... Microsoft?!?!?
Seriously, until I read this, I wasn't aware that there was a problem with Microsoft's sites, even though I am a Firefox user. Do people actually visit these sites?
At least, they seem to have fixed the problem.
