

Even Akamai screws up their SSL certs - staunch
https://www.akamai.com/

======
agwa
Actually, they probably don't intend for people to use www.akamai.com with
HTTPS. If you add an override for the bad cert, you end up getting redirected
to a non-HTTPS site anyways. I don't see anything like a login link on
www.akamai.com so this is probably OK. (Of course it would be nice if
_everything_ were HTTPS...)

~~~
pipeep
> Of course it would be nice if everything were HTTPS...

Nice try, Certificate Authorities!

~~~
fragmede
>> Of course it would be nice if everything were HTTPS...

> Nice try, Certificate Authorities!

Nice try, NSA.

~~~
richforrester
>>> Of course it would be nice if everything were HTTPS...

>> Nice try, Certificate Authorities!

> Nice try, NSA.

Nice try, HN.

~~~
gouggoug
Nice try... wait, this is not on reddit. Let's stop the joke now.

------
dsl
This happens with almost any Akamai'zed domain, if you drop
[https://](https://) in front of it you get the shared Akamai cert. Customers
that pay for SSL get their own pool of IPs that respond with only their cert.

Same thing happens with any shared web host that happens to listen on SSL.

~~~
tantalor
So Akamai couldn't afford to pay themselves for their own IP pool and SSL
cert? Poor guys.

~~~
dsl
The customer portal is at
[https://control.akamai.com/](https://control.akamai.com/)

www is literally just a sales site.

------
patcheudor
Better yet, where they absolutely mean to use HTTPS they sometimes use weak
keys and ciphers and get an "F" from the Qualys SSL Labs tool.
Blogs.akamai.com isn't the only place this happens:

[https://www.ssllabs.com/ssltest/analyze.html?d=blogs.akamai....](https://www.ssllabs.com/ssltest/analyze.html?d=blogs.akamai.com)

~~~
mnordhoff
Not the biggest crisis. Okay, they have several awful cipher suites enabled,
but no sane client would ever use them. The client report shows that almost
every client uses AES; a couple crappy ones use RC4 or 3DES.

They don't have PFS, either. That's bad, though unfortunately still common. As
far as I know Akamai's position is that the (small) performance cost of PFS is
unacceptable. They would be delighted if it was faster (which people are
working on).

I think the F is because of the 1024-bit, MD5 CA. That seems to be more of an
argument for clients to disable that CA certificate, especially since there's
another, good trust path, but maybe I'm missing something.

~~~
brians
Indeed, it looks like that's a bug in the SSL labs rating scheme: given two
trust paths, it takes the longer one.

The Baltimore root is trusted, but also signed by the old GTE 1024-bit root.
It's not clear to me what harm it does to have an appendix of old roots above
a well-managed, trustworthy trusted root.

~~~
ivanr
No, the issue is not with the trust paths. The old 1024-bit root is in
Mozilla's trust store, where it's a danger to everyone. SSL Labs reuses their
store, which is why the weak root shows up in the trust paths.

Technically, the F for blogs.akamai.com was a bug (now corrected; the grade
after the fix is C). I say "technically" not because I approve of export
cipher suites, but because the implementation did not follow the documentation
(the rating guide, linked from every report). Export suites are hopelessly
weak and will be treated more harshly in the next guide revision. The new
grade is certainly not something to be happy about.

------
hercynium
_chuckles_

This isn't a SSL cert screw-up, but certainly a silly misconfiguration. They
should certainly have known better than to let that happen.

To be fair... when I worked there, I thought about different ways to
transparently enable SSL across all domains using a CDN that would work with
all existing SSL-enabled browsers and it's a freakin' hard problem. There are
potential solutions, but they're not particularly cheap or simple given the
IPv4 address crunch and for Akamai even more so since the edge servers are so
widely distributed.

Bottom line - I never pitched the idea anyway because while I was interested
in making the internet a better place, I knew that it was DOA at Akamai
because they're much more interested in making it a more _profitable_ place,
and I couldn't think of a strong-enough business case...

~~~
tantalor
It might compete with their current, which bundles SSL with dedicated, static
IPs. Although IPv6 should solve that scarcity.

------
Mindless2112
Only partly related: Most websites don't get proper certificates for their
FQDN -- even Google [1]. That, to me, is screwed up.

[1] [https://www.google.com./](https://www.google.com./)

~~~
theGimp
That works just fine for me.

~~~
cynix
Works in Chrome 32, does not work in Firefox 26.

~~~
ekianjo
Does not work in Chrome 26 (yeah, ancient version, I know).

------
acdha
The main site is basically marketing - their customer portal, which actually
has sensitive content uses HTTPS sanely:

[https://www.ssllabs.com/ssltest/analyze.html?d=control.akama...](https://www.ssllabs.com/ssltest/analyze.html?d=control.akamai.com)

------
dredmorbius
This issue has been hitting APM's MarketPlace website
([https://www.marketplace.org/](https://www.marketplace.org/)) for at least a
year now.

Mucks up their CSS as well, best I can tell.

------
ggoddard
[https://twitter.com/csoghoian/status/428228534675308545](https://twitter.com/csoghoian/status/428228534675308545)

------
jdubs
I blame the keystore and the dreaded keytool.

