Invalid server certificate from Microsoft?

[Peter Rossiter]

If I click the following link then different browsers accept or
reject Microsoft's server certificate.

https://www.microsoft.com/security/incident/sasser.asp

------

(1) Internet Explorer 6 does not show anything.

(2) Opera says this:

The certificate for "www.microsoft.com" is signed
by the unknown Certificate Authority
"www.microsoft.com". It is not possible to verify
that this is a valid certificate.

(3) Firefox says this:

Website Certified By An Unknown Authority ...


Why is there this quite big difference in the messages? It is the
differenc ebetween deciding to go ahead and see the site and not go
ahead.

 

[Walter Roberson]

:If I click the following link then different browsers accept or
:reject Microsoft's server certificate.

:https://www.microsoft.com/security/incident/sasser.asp

I don't know the direct answer to your question, but I would point
out that within the last few days, Microsoft released a non-critical
patch that updated their CA server list. Running Windows Update and
installing that patch might make the issue go away.

 

[Peter Rossiter]

:If I click the following link then different browsers accept
r reject Microsoft's server certificate.

:https://www.microsoft.com/security/incident/sasser.asp

I don't know the direct answer to your question, but I would
point out that within the last few days, Microsoft released a
non-critical patch that updated their CA server list. Running
Windows Update and installing that patch might make the issue
go away.

My WinXP system is fully up to date with patches and I get those
results.

 

[Petr Pisar]

The certificate for "www.microsoft.com" is signed
by the unknown Certificate Authority
"www.microsoft.com". It is not possible to verify
that this is a valid certificate.

That means your browser can't verify CA's certificate. Once you install
CA's certificate or certificate used to sign CA's certificate, all goes
right.

Why is there this quite big difference in the messages? It is the
differenc ebetween deciding to go ahead and see the site and not go
ahead.

Both messaeges try to say: Don't trust this certificate.

--Petr

 

[Alan J. Flavell]

Both messaeges try to say: Don't trust this certificate.

They both say "take your own decision whether to trust this
certificate, because it can't be traced back to one of the known
CAs".

Interpreting that as "don't trust this certificate" would be going too
far, IMHO.

Self-signed certificates have their place in the scheme of things.

 

[Thor Kottelin]

https://www.microsoft.com/security/incident/sasser.asp

(1) Internet Explorer 6 does not show anything.

(2) Opera says this:

The certificate for "www.microsoft.com" is signed
by the unknown Certificate Authority
"www.microsoft.com". It is not possible to verify
that this is a valid certificate.

(3) Firefox says this:

Website Certified By An Unknown Authority ...

Why is there this quite big difference in the messages?

My Netscape browser warns me as well.

Microsoft can unilaterally make their own browser accept their self-signed
certificates by default. They cannot do the same to free world browsers.

Follow-ups narrowed.

Thor

 

[Petr Pisar]

On Tue, 4 May 2004, Petr Pisar wrote:
They both say "take your own decision whether to trust this
certificate, because it can't be traced back to one of the known
CAs".

I agree that's better formulation.

Interpreting that as "don't trust this certificate" would be going too
far, IMHO.

Self-signed certificates have their place in the scheme of things.

Yes, but in the moment the warning appears, you have no assurance that
there is no evil activity. There is only two posibilities in certificate
verification: Either "succesfuly verified" or "verification failed". The
reason why it failed can be interested or important for human, but for
machine isn't.

 

[phn]

If I click the following link then different browsers accept or
reject Microsoft's server certificate.


(1) Internet Explorer 6 does not show anything.

(2) Opera says this:

The certificate for "www.microsoft.com" is signed
by the unknown Certificate Authority
"www.microsoft.com". It is not possible to verify
that this is a valid certificate.

(3) Firefox says this:

Website Certified By An Unknown Authority ...

Why is there this quite big difference in the messages? It is the
differenc ebetween deciding to go ahead and see the site and not go
ahead.

(2) and (3) says the same thing ( that microsoft is not of the
global CA shipped with the browser)

 

[Alan J. Flavell]

Yes, but in the moment the warning appears, you have no assurance that
there is no evil activity.

I don't disagree. My only point was that the warning does not say
anything, either way, about whether you _should_ trust the
certificate. There are some self-signing authorities in whom I would
put more trust than some of those authorities that I can see in the
default root certificates database...

There is only two posibilities in certificate
verification: Either "succesfuly verified" or "verification failed".

Right, and the significance of the message is that the user should
review their security situation, and take -appropriate- further steps,
one way or the other.

I don't think we're basically saying anything different from each
other: it's just about the words used.

all the best

 

[Tech Zero]

The voice of "Peter Rossiter" drifted in on the cyber-winds,
from the sea of virtual chaos...

If I click the following link then different browsers accept or
reject Microsoft's server certificate.

https://www.microsoft.com/security/incident/sasser.asp

<snip>


It's quite simple...
There's an errant "S" in there! The right link is:

http://www.microsoft.com/security/incident/sasser.asp

So, how many was caught by this one?