Oct 17 2007
While looking into some of the finer points of SSL EV, I landed at Microsoft. Clicking on the fourth search result shown in the adjascent picture (”Extended Validation SSL Sites”) prompted my up-to-date Firefox (and Safari and Opera) to initiate what is without question the single least understandable and therefore the most unforgivable computer/human dialog in the history of technology.
In essence my browser said: “I don’t have a clue about who owns this website, so let me enlighten you with an incomprehensible dissection of its X.509 certificate so you can judge for yourself.”
Ok, this isn’t an EV-specific issue. And sure, I get X.509, but Quintessential Person sure doesn’t. And though I’m not a Microsoft basher these days, they have no business using a certificate authority that only IE 7 knows about. All in all, this qualifies as Bad Security.
Related posts:
Posted by Larry J. Hughes, Jr. on Wednesday, October 17th, 2007, at 7:39 pm, and filed under Articles.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
Adam | 18-Oct-07 at 8:37 am | Permalink
You write “they have no business using a certificate authority.” I’m curious: how should MS aquire the hundreds (or thousands?) of certificates that it has? Does it make sense to pay a third party to certify MS web sites? (Almost all of the certs in FF are from organizations less well known than Microsoft.)
Speaking for me only.
Larry J. Hughes, Jr. | 28-Jan-08 at 7:31 pm | Permalink
Actually I wrote “…that only IE7 knows about.” My intent was to point out that 1 in 5 browsers would have had a lousy security-driven experience.
Unfortunately leak.microsoft.com doesn’t resolve anymore, so I can’t reproduce it, but I found a similar URL that exhibits the same problem: https://www.tabletpcpartners.com/. Turns out that Opera gives a more cogent explanation (unless you’re Quintessential Person) than does Firefox. See the bottom of this post.
My hunch is that this is an anomaly. Putting aside the fact that this appeared high in the search results, my point stands about SSL problems in general: they do way more to hurt than help 99.99% of the population.
Opera error message follows:
- The server’s name “www.tabletpcpartners.com” does not match the certificate’s name “register.microsoft.com”. Somebody may be trying to eavesdrop on you.
- The certificate for “register.microsoft.com, msdness.microsoft.com, shell.windows.com, saservices.microsoft.com, protect.microsoft.com” is signed by the unknown Certificate Authority “Microsoft Secure Server Authority”. It is not possible to verify that this is a valid certificate
- The certificate for “” is signed by the unknown Certificate Authority “”. It is not possible to verify that this is a valid certificate