scary certificate for www.update.microsoft.com
Tony Naggs
tony.naggs at googlemail.com
Mon Jun 18 01:12:28 BST 2012
On 17 June 2012 17:57, Roland Perry <lists at internetpolicyagency.com> wrote:
> In article <4FDE04AF.5000903 at zen.co.uk>, Peter Fairbrother <
> zenadsl6186 at zen.co.uk> writes
>
> I think the browsers are looking to check the hostname in the requested
>> URL matches the hostname in the certificate - and it doesn't, 65.55.25.59
>> != www.update.microsoft.com
>>
>> Both actions seem like perfectly good behaviour to me.
>>
>
> As a "user" I'd expect the browser to connect the two concepts, it's not
> as if DNS hasn't been invented yet.
>
Scary certificate test results for Microsoft's Update server SSL
certificate - "Overall rating Zero":
As assessed by
https://www.ssllabs.com/ssltest/analyze.html?d=www.update.microsoft.com
Several bad features get highlighted in red.
Certificate Information
Common names www.update.microsoft.com
Alternative names -
Prefix handling Not required for subdomains
Valid from Thu May 31 04:36:05 UTC 2012
Valid until Sat Aug 31 04:46:05 UTC 2013 (expires in 1 year and 2
months)
Key RSA / 2048 bits
Signature algorithm SHA1withRSA
Server Gated Cryptography No
Weak key (Debian) No
Issuer Microsoft Update Secure Server CA 1
Next Issuer Microsoft Root Certificate Authority
Chain length (size) 2 (3241 bytes)
Chain issues Incomplete
Extended Validation No
Revocation information CRL
Revocation status Unchecked (only trusted certificates can be checked)
Trusted No NOT TRUSTED (Why?)
Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3.0 Yes
SSL 2.0+ upgrade support Yes
SSL 2.0 INSECURE Yes
Cipher Suites (SSLv3+ suites in server-preferred order, then SSLv2 suites
where used)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
SSL_DES_192_EDE3_CBC_WITH_MD5 (0x700c0) 168
SSL_RC4_128_WITH_MD5 (0x10080) 128
Miscellaneous
Test date Sun Jun 17 22:52:25 UTC 2012
Test duration 22.40 seconds
Server signature Microsoft-IIS/7.0
Server hostname -
Session resumption No (IDs assigned but not accepted)
BEAST attack Vulnerable INSECURE (more info)
Secure Renegotiation Supported, with client-initiated renegotiation
disabled
Insecure Renegotiation Not supported
Strict Transport Security No
TLS version tolerance 0x0304: 0x301; 0x0399: 0x301; 0x0499: 0x301
PCI compliant No
FIPS-ready No
Ephemeral DH Not seen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20120618/06a70126/attachment.html>
More information about the ukcrypto
mailing list