Comments on: SSL EV: Extended (or Excursive?) Validation http://www.riskbloggers.com/ljh/2007/10/ssl-ev-extended-or-excursive-validation/ Security Wisdom Ahead of the Curve Sat, 05 Jul 2008 00:47:18 +0000 http://wordpress.org/?v=2.5.1 By: Larry J. Hughes, Jr. http://www.riskbloggers.com/ljh/2007/10/ssl-ev-extended-or-excursive-validation/#comment-3803 Larry J. Hughes, Jr. Tue, 29 Jan 2008 02:31:44 +0000 http://www.riskbloggers.com/ljh/2007/10/ssl-ev-extended-or-excursive-validation/#comment-3803 Actually I wrote "...that only IE7 knows about." My intent was to point out that 1 in 5 browsers would have had a lousy security-driven experience. Unfortunately leak.microsoft.com doesn't resolve anymore, so I can't reproduce it, but I found a similar URL that exhibits the same problem: https://www.tabletpcpartners.com/. Turns out that Opera gives a more cogent explanation (unless you're Quintessential Person) than does Firefox. See the bottom of this post. My hunch is that this is an anomaly. Putting aside the fact that this appeared high in the search results, my point stands about SSL problems in general: they do way more to hurt than help 99.99% of the population. Opera error message follows: - The server's name "www.tabletpcpartners.com" does not match the certificate's name "register.microsoft.com". Somebody may be trying to eavesdrop on you. - The certificate for "register.microsoft.com, msdness.microsoft.com, shell.windows.com, saservices.microsoft.com, protect.microsoft.com" is signed by the unknown Certificate Authority "Microsoft Secure Server Authority". It is not possible to verify that this is a valid certificate - The certificate for "" is signed by the unknown Certificate Authority "". It is not possible to verify that this is a valid certificate Actually I wrote “…that only IE7 knows about.” My intent was to point out that 1 in 5 browsers would have had a lousy security-driven experience.

Unfortunately leak.microsoft.com doesn’t resolve anymore, so I can’t reproduce it, but I found a similar URL that exhibits the same problem: https://www.tabletpcpartners.com/. Turns out that Opera gives a more cogent explanation (unless you’re Quintessential Person) than does Firefox. See the bottom of this post.

My hunch is that this is an anomaly. Putting aside the fact that this appeared high in the search results, my point stands about SSL problems in general: they do way more to hurt than help 99.99% of the population.

Opera error message follows:

- The server’s name “www.tabletpcpartners.com” does not match the certificate’s name “register.microsoft.com”. Somebody may be trying to eavesdrop on you.
- The certificate for “register.microsoft.com, msdness.microsoft.com, shell.windows.com, saservices.microsoft.com, protect.microsoft.com” is signed by the unknown Certificate Authority “Microsoft Secure Server Authority”. It is not possible to verify that this is a valid certificate
- The certificate for “” is signed by the unknown Certificate Authority “”. It is not possible to verify that this is a valid certificate

]]> By: Adam http://www.riskbloggers.com/ljh/2007/10/ssl-ev-extended-or-excursive-validation/#comment-3675 Adam Thu, 18 Oct 2007 15:37:38 +0000 http://www.riskbloggers.com/ljh/2007/10/ssl-ev-extended-or-excursive-validation/#comment-3675 You write "they have no business using a certificate authority." I'm curious: how should MS aquire the hundreds (or thousands?) of certificates that it has? Does it make sense to pay a third party to certify MS web sites? (Almost all of the certs in FF are from organizations less well known than Microsoft.) Speaking for me only. You write “they have no business using a certificate authority.” I’m curious: how should MS aquire the hundreds (or thousands?) of certificates that it has? Does it make sense to pay a third party to certify MS web sites? (Almost all of the certs in FF are from organizations less well known than Microsoft.)

Speaking for me only.

]]>