« There is an Introduction to iRules Book Out | Main | An OpenSSL Version Matrix »


Could Bing Be a Honeypot?

I open a browser and go to https://www.bing.com/.

Safari on the Mac displays:


Firefox displays the following warning:


At first glance, it appears as if www.bing.com, front-ended by longtime content delivery network provider Akamai, is using a wildcard cert with multiple Subject Alernative Names but "*.bing.com" is not one of them.

But there's more. The certificate key size is only 1024 bits! Weak ciphers (< 128 bits) work! SSLv2 works!! Is this a honeypot?

Now, the discussion occurring on Hacker News regarding this issue did point out that Bing does not advertise ssl support for www.bing.com but it does support ssl on web applications under ssl.bing.com. The concern I have here is that weak ciphers work to this host and SSLv2 connections also work, (but the certificate key is 2048 bits at least). So, things aren't much better on ssl.bing.com.




TrackBack URL for this entry:

Listed below are links to weblogs that reference Could Bing Be a Honeypot?: