https://news.ycombinator.com/item?id=5576041 (8 months ago)
https://news.ycombinator.com/item?id=6937686 (1 month ago)
http://www.zdnet.com/bing-is-fine-insecure-as-ever-but-fine-... (April 2013)
> Bing has never supported secure connections...
Just like with Google: Google Internet Authority. Interesting to see big companies not trusting intermediate CA's anymore that they go through the length of becoming a CA themselves. However it could also be a cost effective strategy.
Probably cheaper for them to be their own CA long term.
We have wildcard certs for each of our properties, but the resources using those certificates are many orders of magnitude less numbersome than the resources covered by the name of a multinational monster. And even though we use a wildcard for internal resources we get specific keys generated and signed for client specific stuff (if we host any service on <client>.<ourdomain>.<tld> for instance) just as we have different SSH keys and such for accessing information sources they provide for integration purposes: not having the one all powerful key limits the potential damage (and work involved) should any partticualr key/sub-key become compromised. If out internal key were to be stolen by a malicious entity or accidentally made public by a mistake on our part the no client specific resources would be affected (of course to ensure this separation you need to distribute access to the private keys effectively so that they can't all get compromised in a single event.
… but no PFS :/
NSS doesn't support the Brainpool curves. OpenSSL does, but no mainstream browser uses it.
They need to talk to Google, Mozilla and others, and decide on using a new set of safe curves in their browsers. Using a broken one is not a solution.
The "NIST corrupted curves" you refer to are, for all intents and purposes, the Internet standard curves. Microsoft could provide a configuration that used only the Brainpool curves, but no browser would be able to talk to them.
Also, https://bing.com just redirected to plain http, now you can actually search over https like with Google and DDG.