
Bing doesn't support SSL - timthelion
https://bing.com/
======
casca
TL;DR: bing SSL certificate is wrong.

<https://bing.com>: subject=/CN=*.bing.com

<https://www.bing.com>: subject=/C=US/O=Akamai Technologies,
Inc./CN=a248.e.akamai.net

~~~
rhplus
TL;DR: Bing doesn't support SSL on www.bing.com and has never publicized it as
a supported feature. The submitter had to manually type <https://www.bing.com>
into the address bar to generate this 'error'.

Bing does support SSL on ssl.bing.com and publishes various links on that sub-
domain, such as <https://ssl.bing.com/webmaster/home/mysites>

The fact that the <https://www.bing.com> redirects to the HTTP version should
be enough to show that this a known, unsupported case on the primary domain.
The behavior has been like that for years.

~~~
TazeTSchnitzel
>TL;DR: Bing doesn't support SSL on www.bing.com and has never publicized it
as a supported feature. The submitter had to manually type
<https://www.bing.com> into the address bar to generate this 'error'.

Or use HTTPS Everywhere. Personally, I'd also like it if in future, web
browsers would try HTTPS first and HTTP second.

~~~
wiml
I don't think browsers should assume that <http://blahblah> and
<https://blahblah> refer to the same resource.

~~~
ricardobeat
Why not?

~~~
gcr
Because it's up to the individual website administrator to ensure he published
them both the same way.

I can construct a web server that sends version A of a site over normal HTTP,
and version B of that same site over HTTPS.

In fact, sometimes I do that by accident. :)

It's a bad assumption.

------
nopal
I made a site that checked for SSL cert expirations and misconfigurations, but
I couldn't acquire any customers. I still think there's a business there
somewhere, although maybe it really only sells as part of another product.

Edit: If anyone wants a script to check their certificates, here you go:
<https://gist.github.com/bretwalker/5420652>. You'll just need to add in some
sort of notification logic, especially for expirations, since they need to
happen before a problem arises.

~~~
simonw
Sounds like something you could license to companies to use as a lead
generation tool - like HubSpot's Marketing Grader
<http://marketing.grader.com/>

~~~
nopal
That's a very interesting idea, Simon, and one that didn't even cross my mind.

I've since moved on to a new project. If anyone wants to talk about taking
over the site, shoot me a message at bretwalker /at/ Google's email. It's
Django and has some branding and a domain:
[http://static.nyquistrate.com.s3.amazonaws.com/media/certcia...](http://static.nyquistrate.com.s3.amazonaws.com/media/certcian_logo.gif.png)

------
NelsonMinar
Bing is important. It's a good search engine, comparable to Google's quality
and size. And it's the only competition Google has in the US and most of
Europe. (Sites like DuckDuckGo and Yahoo pass queries on to Bing). Dumb errors
like this SSL problem are embarassing, but the larger frustration is how
despite years of having a good product, they have so little market traction.

~~~
lelandbatey
I didn't know that DuckDuckGo and Yahoo pass their queries onto Bing. Does
anyone else have any information on that, it sounds really interesting.

~~~
nivla
If I recall correctly, DDG used to solely depend on Bing's Search API but now
they use various sources including their own to compile the search result.

------
olegbl
Neither does Hulu. <https://hulu.com/> Amazon redirects to HTTP:
<https://www.amazon.com/> Netflix redirects to HTTP: <https://netflix.com/>
Etc... Etc... Etc... Why pick on Bing?

~~~
ljd
I understand Hulu and Netflix but I have a hard time understanding why Amazon
wouldn't support SSL. It does put a heavier processing load on web servers but
you would think that if someone wants to encrypt their shopping traffic Amazon
would be open to accommodating that.

It is not, by any means, trivial to find out what products someone is looking
to buy and could be the basis of a social engineering hack.

------
aaronsnoswell
The real question is, why were you on bing? :P

~~~
timthelion
I couldn't find something on google, so I decided to give it a try. Can't
hurt. I wanted to find out if anyone has done a study on language
confusion(the effect where Russians have a hard time getting good at Polish
because they confuse Polish words with Russian ones). Still can't find it ;)

~~~
tszyn
Try googling / binging "L1 interference".

~~~
timthelion
Thanks!

------
Ricapar
Looks like someone pushed the wrong SSL cert to production:

    
    
      www.bing.com uses an invalid security certificate.
      
      The certificate is only valid for the following names:
        a248.e.akamai.net , *.akamaihd.net , *.akamaihd-staging.net  
    
      (Error code: ssl_error_bad_cert_domain)

~~~
dominicgs
Australian Ebay (<https://www.ebay.com.au/>) has had the same problem for
months, although I appear to get no response for <https://www.ebay.com>, so
I'm not sure what their policy is on SSL access to the homepage.

I expect that Microsoft will fix Bing much more quickly.

~~~
robglas
Passed this on to relevant team to look into for you (I'm with PayPal myself,
so not sure about eBay's SSL approach).

------
deepblueocean
Wow. This has been going on for an hour now. It's such a simple fix,
especially since one would _assume_ that they already have a valid cert
somewhere (or that Akamai does). Yet they've had an hour of SSL downtime.

Does anyone know if Bing has any SSL-only clients? Like do any of their
toolbars or built-in search widgets in Windows use SSL by default?

~~~
Trufa
Easy fix? What the hell?

I don't like or use Bing services but when you get as big and complex as Bing,
nothing is easy, it's not like you can open your text editor, modify one line,
commit and push.

There so many other variables to take into consideration, by hurrying to fix,
you could face all sort of vulnerabilities / other issues.

I'm not saying this error is acceptable, I'm saying it's ridiculous to say
it's and easy fix without actually knowing anything, it might or it might now.

------
icecreamguy
I've gotten a certificate error for over a year with Bing on HTTPS. I always
just assumed that they, somewhat surprisingly, just didn't support HTTPS yet.

------
webignition
Slightly off-topic: what's a good way to handle cases such as this where you
have a wildcard certificate?

I'll be getting a wildcard certificate for a project and, never having used
one before, I had assumed the certificate would be valid for an entire domain.

I understand from this situation that a wildcard certificate is relevant only
to <https://*.example.com> and not the subdomainless <https://example.com>.

Assuming that to be the case, is having a wildcard certificate for
*.example.com and a second certificate for example.com the solution? It'd be
nice to have the entire domain covered by a wildcard certificate and not just
all subdomains.

~~~
klapinat0r
Typically a certificate issuer will grant you both when you buy a wildcard
one.

This can be achieved via SAN (alternative names):
<http://en.wikipedia.org/wiki/Wildcard_certificate#Limitation>

~~~
vsync
Comodo's been good to me in this regard.

Incidentally, beware of RapidSSL and their "free www." SAN; they only grant it
in certain specific and undocumented circumstances.

~~~
andygambles
With RapidSSL if you order a cert for www.domain.com then it will also cover
domain.com. But if you order a cert for domain.com or sub.domain.com then it
will NOT secure the www.domain.com.

So basically make sure your CSR request is for www.domain.com if you want to
also secure the root domain.

~~~
vsync
Bizarrely, this only works for second-level domains however, and isn't
disclosed in advance.

Really, CAs shouldn't be throwing in "free bonus" SANs without customer
authorization ever. It would be much better to have a place to enter the SANs,
or a checkbox asking if I want "www." as well, or to apply to the parent also,
or whatever. That would also make the process more apparent to the user in
addition to being more secure.

------
LTheobald
It's not just Bing. I'm always accidentally going to
<http://stackoverflow.com> & getting an error.

~~~
rschmitty
Shh, only MS bashing can go on in this thread

~~~
jonknee
SO uses a MS stack so it's not too far off...

------
pasbesoin
Why should we take Microsoft's Internet efforts seriously when they continue,
perpetually, not to do so, themselves?

(Actions speak louder than words.)

------
smackfu
Bing is normally not served over https, so this probably only affects a tiny
percentage of the users, even though it looks bad here.

------
taylorbuley
This is the second major flub this year. Azure's cert expired in prod not many
weeks ago.

~~~
xonea
Well, it is not really a flub of this year. Or even something specific to Bing
(try <https://www.nba.com/> or <https://www.jetstar.com/>)

Basically Akamai is using the same ssl certifate on (most?) of its edge
servers. The reason for that is that traditionally it is difficult to decide
for a server that is serving multiple domains, which SSL certificate to show
for a client -- the HTTP header, which contains the hostname is sent way after
the certificate information has been exchanged.

A certificate can contain several hostnames (in the SubjectAlternativeName
extension) - but that does not scale if you have a big number of sites for a
number of reasons (re-signing the certificate all the time is a nuisance,
browser behavior with certificates containing several thousand hostnames is
kind of fun, etc.).

Nowadays there are solutions to that problem (using the Server Name Indication
TLS extension -- which basically sends the desired hostname in the TLS
exchange before the certificate is exchanged). However, the number of sites
actively using SNI is very low - google is the only site known to me that is
doing it (try accessing google.com with/without SNI and you will get
completely different certificates).

The reason why SNI is not yet that much used is that client support is still a
bit flaky. Afaik it is supported by all recent desktop browsers. However, I
think the XP TLS stack does not support it (and there are still enough users
on that), android only supports it starting with version 3.0, etc.

So - at the moment you basically still need a separate IP for each site (or at
least one IP for sites that can share one certificate).

I don't know if akamai also supports custom SSL certificates. Facebook seems
to use kind of an interesting mix between akamai and self-hosting -
facebook.com itself seems to be hosted by facebook. However, if you use
facebook over ssl and check the url of served profile pictures, you will see
that they go to <https://fbcdn-profile-a.akamaihd.net> (or similar) -- hence
to one of the hostnames that is mentioned in the akamai edge certificates.

~~~
QA_Confidential
Akamai isn't using the same certificate on its edge servers, unless you mean
the same customer certificate being replicated (in which case you are
correct). Basically, Akamai maps each ssl certificate to a slot on the cache
server, which is assigned to a map similar to the standard edge CDN. Each edge
machine thinks itself the site. Each time a new certificate is issued by an
Akamai partner CA or the customer's CA of choice, it is pushed out by Akamai
to the ssl edge network.

SAN certs are an entirely different ball of wax. Akamai does support them, but
there are some challenges getting them deployed.

Unfortunately, the deployment for any type of certificate with Akamai is a
very manual process.

------
SG-
bing.com doesn't do SSL, never did except at ssl.bing.com (which doesn't
actually do SSL anymore).

------
kylesethgray
Looks like it might be related to the reddit DDOS:
[http://www.reddit.com/r/redditTraffic/comments/1coaer/201304...](http://www.reddit.com/r/redditTraffic/comments/1coaer/20130419_crazy_fucking_night/c9igsc4)

~~~
SG-
No.

------
zoowar
Google should start a "don't get Bingle Berried" campaign like Microsoft's
Scroogled.

~~~
psbp
Don't get Fucked in the ass by Microsoft _

~~~
zoowar
No, not that. This =>
<http://www.urbandictionary.com/define.php?term=dingle+berry>

------
mekoka
The real question is, is bing.com even supposed to be served over https?

~~~
sdfjkl
With very few exceptions, everything is supposed to be served over HTTPS (or
other secure protocols). Certainly something as sensitive as search traffic.
Tell me your search queries and I'll tell you your interests, health problems,
relationships, if you're happy in your job and what kind of porn you like.

~~~
ccarter84
That last one is where they get ya

------
l0c0b0x
This just means that there is no redirect on www.bing.com via SSL. Bing.com
(ssl) has a proper re-direct to non-ssl www.bing.com.

Most-likely an oversight, but it does suggest ssl isn't supported.

------
tosseraccount
Short Microsoft.

25000 more employees can't fix this kind of incompetence.

~~~
ccarter84
There's gotta be some kind of organizational size:responsiveness inverse
metric for stuff like this

------
Osiris
This is pretty embarrassing after their Azure SSL certification expirations
issues just a month or so ago.

------
johnchristopher
For what it's worth I alawys had problems reaching bing.com when using
openDNS.

------
mergy
The extra cert dialogue box will really drive up traffic. #not

------
lurkinggrue
People use bing?

------
a_1
why would you use bing?

------
rileytg
HA!

------
bwooceli
back up as of 8:42 CST

~~~
joshstrange
I'm still seeing it 9:50 EST

------
Y0L0
I sincerely hope that this not some sick and twisted joke by Microsoft.

~~~
theycallmemorty
I think you're in the clear.

