Jul 17, 2008

Microsoft Using Self-Signed SSL Certificates

Can anyone tell me why in the free world Microsoft, a multi-billion dollar corporation, thought it would be best to use self signed SSL certificates to secure their public websites? Anyone? Hello?!?!?!

This isn't the first time I noticed this, but today I decided to go ahead and write about it. The other day I went to login to my MCP account to get some information, and I saw that their site was secured by a self signed SSL cert. Today I went to login to my company's volume license account, and once again it is "secured" by a self signed SSL cert. Now, I use self signed certs all the time for home stuff, and for internal web servers for my company, but if I was running a multi billion dollar empire, I think I could probably afford $2000 for a Verisign cert! I mean, it is a trust issue. Do I trust YOUR self signed cert? Hell no! Do I trust mine? Sure. Do I trust Microsoft's self signed certs? I don't know. How do I know someone didn't poison DNS, and redirect me to some phishing site?

Seriously! The problem with self signed certs is that ANYONE can make one, and issue it to themselves. Having a trusted public certificate authority like Verisign validate a websites identity is one of the main reasons for having an SSL certificate!

Here is a screen shot of Microsoft's Volume License website's cert info taken from Firefox:

microsoft self signed ssl

Am I being to harsh here? Am I being too paranoid? Whats your take on this?

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam