Microsoft Passport security certificate invalid

Originally posted by Capt'n Midnight
I take it you have gone to http://windowsupdate.microsoft.com and applied the security cert patches..

Updated every day.

Floater

Originally posted by ecksor
And the error you get? I didn't reproduce an error following the steps you gave. The cert appears valid on two browsers I tested with (one version of IE and one Mozilla variant).

Internet Explorer > Tools > Internet Options > Advanced > (Security) "Warn about invalid site certificates" checkbox is ticked on mine. Is it on yours?

This forum is for the discussion of security. There are many many interesting issues that arise because of Microsoft's monopolistic practices, their passport system, the many software vulnerabilities, their 'trusted computing' initiatives, etc etc. Please feel free to discuss them.

Please do not take every opportunity you can find to mindlessly bash Microsoft outside of that.

Mindless bashing? I bought Microsoft Outlook 2003 the other day and installed it (used to use Outlook 2002). I have three e-mail accounts installed with a default account specified.

When I create an e-mail I have to manually specify the account I am sending from. The default setting doesn’t work for this.

When I reply to an e-mail received, it always uses my default account. It should use the account that the other party used to contact me.

While it managed to pick up my address book from Outlook XP, (and I can see all my contacts details in the “contacts” window), I can’t e-mail them without manually entering their e-mail addresses! The “to” button on the e-mail window turns up a blank.

These are basic e-mail functions that should work out of the box without a hitch. This is appalling quality control!

There are some nice features in Outlook 2003 in terms of the presentation options for viewing e-mail and the way it detects spam and sends it to a separate folder automatically.

However if they can’t get the basics right in terms of “to” and “from” in an e-mail something tells me that I shouldn’t trust this company on other critical issues such as security. If you think this is “mindlessly bash(ing)” Microsoft please think again.

Floater

Originally posted by ecksor
I don't use IE normally, so I haven't configured it at all. The version of IE that I do use (5.2 on a Mac) doesn't have the set of options that you refer to as far as I can tell briefly and I'm not about to expend much effort looking for the equivilent.

Why have you not provided a URL or an exact error message? What does Mozilla tell you?

"Your Web browser options are currently set to disable cookies. To use .NET Passport, you must enable cookies."

Which is irrelevant. If you have an SSL certificate issued to "gov.ie" and if you use it on "ecksor.com" it shouldn't work without warning the user. The same holds for a certificate issued to passport.com. It shouldn't be used for passport.net or passport.ie or anything else.

Look at the certificate and you will see the difference between it and the URL. You don't need a browser error message!

Floater

Originally posted by ecksor
Did you or did you not get a browser error message? If you did, are you now able to reproduce it? If so, what URL are you getting it on, and what error message are you getting? Does anyone else get the same error?

I have been presented with a server cert for login.passport.com, but I have also been served a cert for registernet.passport.net and probably others.

Your comparison between the URL and the certificate is flawed. Elements of those pages are being served from several different SSL servers which all need to be appropriately identified, not just the server contained in the URL.

Against my better judgement I allowed MS cookies on my Moz browser for the purpose of experimentation. I went back and tried it again with Internet Explorer and it didn't warn this time with the same security settings.

Someone somewhere has made some changes!

Do we have an MS spy in our midst?

Floater