1054719 - update.microsoft.com/microsoftupdate - This Connection is Untrusted

Status: RESOLVED WONTFIX

(Web Compatibility :: Site Reports, defect)

Description

[Alice0775 White]

Steps to reproduce:
1. Open http://support.microsoft.com/kb/2976897
2. Click a link "https://update.microsoft.com/microsoftupdate/"

Comment 1

[Boris Zbarsky [:bzbarsky]]

https://update.microsoft.com/microsoftupdate/ uses a certificate signed by "Microsoft Update Secure Server CA 1", which doesn't chain up to anything we trust.

As in the connection is in fact untrusted!

Same thing Chrome and Safari (at least on Mac).

Comment 2

[Karl Dubost💡 :karlcow]

Contacted our Web compat counterpart at Microsoft about it by email.

Comment 3

[Karl Dubost💡 :karlcow]

It seems there is a similar issue on Bug 1052155.

Comment 4

[Joseph Shum]

Thank you for letting us know about this. 

We looked into this. The Microsoft Update site is a legacy site which supports Internet Explorer and does not support other browsers or non-Windows operating systems. 

If you would like to opt-in to receive updates from Microsoft Update, please visit the site using Internet Explorer.

Comment 6

[Dallam]

It would be nice to have these certificate included. It's causing a snowball effect among the Linux distros that uses the Mozilla CA-certificates. It will cause Squid (http and https proxy caching server) and other https/http proxy servers running on Linux.

Comment 7

[Dallam]

If the Microsoft root certificates were included Linux machines running squid (proxy caching server) would have no problems providing Microsoft Updates to Windows machines that go through the proxy server.

Here is a referenced bug with Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1359695

Ubuntu bug tells us to go to Mozilla to fix the issue.

Please fix issue. System admins want to save bandwidth and network congestions.

Comment 8

[Boris Zbarsky [:bzbarsky]]

This bug isn't about us including a new cert root.  It's about Microsoft using a recognized cert root.

If people want us to actually add a new cert root, that presumably needs a new bug, and typically requires the source of the root to actually do some work.  Which Microsoft may well not be willing to do, note.  See https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

Comment 9

[Kathleen Wilson]

What info do you need from me?

Microsoft already responded in Comment #4
Based on that response, I don't think they are planning to go through Mozilla's root inclusion process. Also, it would be easier/faster for them to get cross-signed by an already-included root -- this wouldn't involved me or Mozilla at all.

Comment 10

[Boris Zbarsky [:bzbarsky]]

Kathleen, the only question for you is whether my summary of the situation in comment 8 is correct.  Sounds like it is, in the sense that we have no plans to add a random root that doesn't make any promises about its behavior, right?

Comment 11

[Kathleen Wilson]

(In reply to Boris Zbarsky [:bz] from comment #10)
> Kathleen, the only question for you is whether my summary of the situation
> in comment 8 is correct.  Sounds like it is, in the sense that we have no
> plans to add a random root that doesn't make any promises about its
> behavior, right?

Correct.

Comment 12

[Karl Dubost💡 :karlcow]

This doesn't seem to be a Tech Evangelism issue anymore. I will close it as WONTFIX, or move it to an appropriate Product/Component.