problems with MSN certificate chain
David Woolley
forums at david-woolley.me.uk
Fri Jan 18 08:09:48 EST 2013
Matthias Apitz wrote:
>
> Since today morning I can't connect to MSN anymore; it says that the
> certificates can't be validated;
This is the second report to the list.
I tried using a Windows Pidgin (probably a little dated). This also
produces a certificate warning, but I imagine most Windows users would
just select the option to ignore the problem.
Looking at the certificate, I think the problem is that the certificate
is for contacts.msn.com, but the server is local-bay.contacts.msn.com.
An earlier certificate for a server in the contacts.msn.com domain
(omega.contacts.msn.com) seems to be a wild card certificate (Subject:
*.contacts.msn.com).
My guess is that someone in Microsoft forgot the "*." when creating the
certificate.
I guess a work round for this that treated all MSN certificates as wild
card, wouldn't compromise security too much, but I suspect the amount of
work involved is disproportionate, given that the MSN service is in lame
duck mode.
Easier work rounds are likely to compromise security too much.
I'm not sure how Pidgin handles certificate chains on *nix, as there is
no standard place for trusted certificates, but the certificate chain
is: Baltimore Cyber Trust Root > Microsoft Internet Authority > MSIT
Machine Authority CA-2 > contacts.msn.com.
I'm concerned about the security of the real Messenger application if it
is not picking up on this error.
Note that I am in a weakly firewalled environment, so all possible
options for accessing the servers are open.
--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
More information about the Support
mailing list