« There is an Introduction to iRules Book Out | Main | An OpenSSL Version Matrix »

04/19/2013

Could Bing Be a Honeypot?

I open a browser and go to https://www.bing.com/.

Safari on the Mac displays:

Bing2013SSLErrorSaf

Firefox displays the following warning:

Bing2013SSLErrorFF

At first glance, it appears as if www.bing.com, front-ended by longtime content delivery network provider Akamai, is using a wildcard cert with multiple Subject Alernative Names but "*.bing.com" is not one of them.

But there's more. The certificate key size is only 1024 bits! Weak ciphers (< 128 bits) work! SSLv2 works!! Is this a honeypot?

Now, the discussion occurring on Hacker News regarding this issue did point out that Bing does not advertise ssl support for www.bing.com but it does support ssl on web applications under ssl.bing.com. The concern I have here is that weak ciphers work to this host and SSLv2 connections also work, (but the certificate key is 2048 bits at least). So, things aren't much better on ssl.bing.com.

 

 

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01156fbc6fe6970c017d42f40bb9970c

Listed below are links to weblogs that reference Could Bing Be a Honeypot?:

Comments