I wouldn't trust them either
-
OK, I see boxes like this all the time, they're usually nothing special, I know exactly why they appear. But this case was a little different.
Personally I think firefox is quite right. I wouldn't trust Microsoft either.
-
Uh huh
-
very interesting, because IE doesn't complain like this... i wonder if IE has an explicit trust for .microsoft.com in it's certificate pool.... how interesting is that.
-
These Microsoft WTFs are getting a little old...
-
Hum. Look at the last comment here: https://bugzilla.mozilla.org/show_bug.cgi?id=245609#c11
-
@pauluskc said:
very interesting, because IE doesn't complain like this... i wonder if IE has an explicit trust for *.microsoft.com* in it's certificate pool.... how interesting is that.
Besides, think about it for a second, doing that would just increase the trouble for Microsoft. Usually, if some kind of hacker/virus/malware/etc redirects users to its own website (hosts file change, etc), SSL authentification could uncover this and prevent any harm. If MS really included such a "hack" to bypass autentification checks, they would just make it easier for hackers to take over their site.
I mean, come on, which company of all has propably the fewest issues affording a correctly signed certificate...
-
true.. think about this though - by creating a pop-up warning on any SSL MS site on any competing browser (Opera does it as well as Mozilla) they'd only be re-affirming these alternative browser using people and their anti-microsoft sentiments. which I share.
-
Nice WM theme.
-
@PSWorx said:
Besides, think about it for a second, doing that would just increase the trouble for Microsoft. Usually, if some kind of hacker/virus/malware/etc redirects users to its own website (hosts file change, etc), SSL authentification could uncover this and prevent any harm. If MS really included such a "hack" to bypass autentification checks, they would just make it easier for hackers to take over their site.
I mean, come on, which company of all has propably the fewest issues affording a correctly signed certificate...
If some hacker/virus/malware/etc. owns a computer, it can disable the SSL warning anyways.
-
@rbowes said:
If some hacker/virus/malware/etc. owns a computer, it can disable the SSL warning anyways.
If that's the case, disabling an SSL warning is the least of your worries.
What really bugs me with a lot of so-called exploits is that as lot of them either implicitly or explicitly go like "assuming a hacker has control of your machine, said hacker can do X" and all the little idiots run around screaming "oh noes! a hacker can do X to my machine, you have to fix this!!!"
Why in this industry do we tolerate this kind of idiocy instead of shooting these people in the head? Does the shoe industry face demands for burglar-proof shoes? After all, assuming that a burglar has broken into your house, he is free to steal your shoes! Nike, why do you make shoes that are so easy to steal?
-
@pauluskc said:
very interesting, because IE doesn't complain like this... i wonder if IE has an explicit trust for *.microsoft.com* in it's certificate pool.... how interesting is that.
Examining the certificate from the warning in Firefox, it appears that it was issued by "Microsoft Secure Server Authority" - i.e. they have their own SSL root certificate, and used it to issue themselves a certificate. (This is pretty common, and can be done by anyone).
Looking through the installed root certificates in IE 7 (Tools->Internet Options->Content->Certificates->Trusted Root Certification Authorities), this authority isn't in there. However, if you examine the site's certificate in IE, you'll see that the root of the certification tree is "GTE Cybertrust Global Root", which *is* in IE's list. It's also in Firefox's list, so I can only assume that FF checks the issuer's name and stops there, while IE steps back up the tree until it finds someone it trusts (or fails, in which case it warns you). Note that FF didn't show me the certification path in the certificate details, only the "end" of it.
Note that I have no idea what the spec says behaviour should be, but making trust decisions based on this sort of tree (or "web" in PKI parlance) is a common concept. For example in Public Key Infrastructure setups, you may decide to trust an unknown key because it's signed by another key you know and trust, or because it's signed by a key that's signed by a key you trust, and so on. FF appears to only extend its trust to the key itself, while IE seems to be more trusting.
So, long story short - there's no evidence that IE trusts *.microsoft.com, and circumstantial evidence that IE extends its trust all the way back up the certification path, which is arguably desirable behaviour.
-
You can read about how it's working in the links that were already supplied. Namely: https://bugzilla.mozilla.org/show_bug.cgi?id=245609#c11
