“Yes, but isn’t Sony always getting hacked? Maybe the ideal thing would be a PlayStation that uses Microsoft’s web services!”
But yeah, their services are buggy as crap.
Another instance that reminded me Sony is indeed not a software company is their mobile app. MITM'd it to discover that they were sending something like 500 requests (totalling over 100MB IIRC) every time I opened the app. Wtf?
It's too bad -- they list "Affected Software" but they don't seem to disclose when the earliest time that xboxlive.com shouldn't have been trusted.
Is it common to issue a certificate for a year, but make it active for the previous year as well?
Look, I guarantee there's a game shop in Small Town, USA, right now with more Xbox One consoles on their shelf than they'll sell in three or more years. And I guarantee you'll find "new in box" Xbox Ones on Ebay 8-10 years from now.
Even if Microsoft stopped producing new Xbox Ones this afternoon, it wouldn't magically make those ones disappear.
However, xbox users might not be able to make the connection. Explicit is better than implicit for security announcements, I daresay.
> An automatic updater of certificate trust lists is included in supported editions of ... Windows 10 ...
They only mention the certificate trust list, which I believe is a hardcoded list of certificates that Windows trusts. I understand that they should remove it from there but don't they also have to revoke the certificate for non-windows systems that use the standard verification methods?
edit: Actually I just checked the Chrome CRLSet, it doesn't appear to have revocations for any certificates from "Microsoft IT SSL SHA2" :(. You can turn on OCSP verification in most browsers, which should do it.
I don't think it's somebody just posting it online, or moving it.