3

When I log into outlook.com using Chrome browser, I get a certificate warning for one account but not another. One says my connection is private, the other says it "may not be private".

Here are the messages:

Good:

Good cert

Bad:

Bad cert

What's going on here? If you need more info please say so in the comments.

murray
  • 133
  • 3
  • If you look at the screen shots though they both seem to be using HMAC-SHA1. However, I did notice that the "bad" account was upgraded to the "outlook mail preview" that Microsoft is rolling out, so that explains the difference. The question still remains why one is getting warned for SHA1 and not the other. Also, the bad one is complaining about "No Certificate Transparency"... not sure what that means. – murray Aug 24 '15 at 00:09
  • @redmint HMAC-SHA1 for the data and SHA1 for the certificate signature are **completely different** things. The first section "identity of this website" is about the certificate chain; only "outlook" has "signature algorithm based on SHA-1" and gives the warning at the top and the red X on the bar. The second section "connection ... is encrypted" is *not* about the certificate and both sites have "HMAC-SHA1 ... authentication" but this is irrelevant; Chrome calls *all* HMACs "obsolete" and only GCM or POLY1305 is "modern". ... – dave_thompson_085 Aug 24 '15 at 02:53
  • ... Certificate Transperency is explained in the Wikipedia entry named Certificate Transparency, at the website www.certificate-transperency.org, and in detail in the RFC (6962) titled Certificate Transparency, which are the first three hits when I google for Certificate Transperency. – dave_thompson_085 Aug 24 '15 at 02:55
  • More about "No Certificate Transparency": http://security.stackexchange.com/questions/52834/what-exactly-does-it-mean-when-chrome-reports-no-certificate-transparency-infor – lepe Aug 24 '15 at 04:04

1 Answers1

2

What I can see, is that the main difference is not about "SHA1" but about the certificate chain. See the icons. Both "SHA1" messages are locked with a green icon, but the part about about the identity of the website is different.

GOOD: *.mail.live.com . Certification owned by Microsoft, verified by Symantec Class 3.

According to digicert.com, no error or warning was found in the certificate. Not sure why no warning is displayed about the use of "SHA1".

Issuer: (Extended Validation : EV)

  • Symantec Class 3 EV SSL CA - G3
  • VeriSign Class 3 Public Primary Certification Authority - G5

BAD: outlook.live.com . Certification owned and verified by Microsoft. Probably the certificate is not correctly set or recognized by Chrome (see issuer).

According to digicert.com, it found 1 warning: SSL Certificate uses a deprecated signature hash.

Issuer: (Organizationally Validated: OV)

  • Microsoft IT SSL SHA1
  • Baltimore CyberTrust Root

So I strongly think that there is a small recognition problem of the chain issued by Microsoft itself.

lepe
  • 2,194
  • 2
  • 16
  • 29
  • This tool is also useful to see the differences: https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp – lepe Aug 24 '15 at 01:08
  • 1
    The problem is in the certificate chain, and the problem in the certificate chain is "signature algorithm based on SHA-1". So it is both the certificate chain and SHA-1. What it is NOT is HMAC-SHA1. – dave_thompson_085 Aug 24 '15 at 02:57
  • You are right dave. – lepe Aug 24 '15 at 03:54