back to article Xbox Live billing site snubs Firefox

Customers visiting an Xbox Live billing site with Firefox are liable to get a false warning that Microsoft's digital certificate is "invalid". The certificate is fine and IE users are unaffected by the glitch, which represents the reappearance of an intermittent bug limited to gamers who use Mozilla's open source browser. Reg …

COMMENTS

This topic is closed for new posts.
  1. moylan
    Alien

    and they say that microsoft doesn't keep up

    just a new version of 'dos isn't done till lotus won't run'

  2. burnard
    FAIL

    I wouldn't worry...

    The xbox live billing site is useless anyway. All the account management can be done through the xbox. The only thing you might want to use it for is to cancel your subscription, but it won't allow you to do that. You still have to ring or email customer services. So no great loss.

  3. GottaBeKidding
    FAIL

    Microsoft self-signed certificate

    The security 'expert' is an idiot. The cert is issued by Microsoft directly - There is no 'globally' trusted CA involved. The real news here is that Microsoft browsers have a non-trusted CA with unknown issuance policies in their certificate trust list.

    1. Anonymous Coward
      Pint

      No, that's not the issue.

      No, that's not the issue - You didn't check your facts before commenting any more than the "expert" in the story did.

      If you browse to the site in Firefox, the cert is issued by the following CA;

      CN = Microsoft Secure Server Authority

      DC = redmond

      DC = corp

      DC = microsoft

      DC = com

      If you browse to it in IE8, the cert provided was issued by the "Verisign Class 3 Public Primary Certification Authority - G5", a known global CA trusted by both IE and Firefox.

      So Microsoft have some sort of load balancers / reverse proxies in front of their webservers which serve content differently based on browser type. One group of servers uses an invalid cert, signed by a non-globally trusted CA, the others don't, they use a valid cert signed by a globally trusted CA.

      This is a mistake by Microsoft, not Mozilla / Firefox, but the mistake is not that Microsoft browsers have a non-trusted CA in their cert trust list. Check before jumping to conclusions.

      1. GottaBeKidding

        Microsoft Root Authority trust

        What's this, then, from a default install of IE:

        KeyID=5b d0 70 ef 69 72 9e 23 51 7e 14 b2 4d 8e ff cb

        Certificate Issuer:

        CN=Microsoft Root Authority

        OU=Microsoft Corporation

        OU=Copyright (c) 1997 Microsoft Corp.

        Certificate SerialNumber=00 c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40

        Oooh, look - Microsoft trusts itsself, therefore we should trust Microsoft.

        1. Anonymous Coward
          Pint

          Except

          That cert / CA has nothing to do with the article, people are not psychic, and so cannot connect your non-sequitur with anything that went before.

          If that's the point you intended to make with your previous post, you failed to do so.

          It's also hardly surprising that Microsoft trusts it's own CA servers. Would you expect them not to? There's no implication anyone else should trust Microsoft.

          For clarity, the cert presented by the site is not signed by that CA.

    2. Sub Wrath

      calm down love, take your pills

      all he did was confirm you get an "invalid cert" message in firefox, which is exactly what it does for me.

  4. Robert Grant
    Unhappy

    Does the same in 4.0beta1 and 4.0beta2

    That is all...

  5. Lionel Baden
    Joke

    wait wut !! lol

    i think among gamers 99% use teh Fox

    the other 1% chrome

    :)

    this will be intresting

    1. Anonymous Coward
      Pint

      Yes

      I think 99% of statistics are made up

      1. andy gibson
        Happy

        No

        I think it's more like 138%.

        1. Danington the Third
          Troll

          99% Firefox?

          I think you underestimate xbox 360 gamers. Once they suss out how to download without the help of xblm, then i'll read your statistics.

  6. Final Circuit

    Certificate path

    If you look at the certificate presented by billing.microsoft.com in IE, it shows the certification path (the chain of trust that SSL relies on) going back to the GTE CyberTrust Global Root certificate. All good. If you look at the certificate in Firefox, the certification path is just billing.microsoft.com so it just seems to be a self signed certificate with no chain of trust.

    On that basis, Firefox is quite right to flag it up, but the question remains whether it's Microsoft's certificate issuing or Firefox's certificate reading which is at fault.

  7. Anonymous Coward
    Gates Horns

    Can only cancel by ringing

    I encountered the same issue.

    However the bigger problem was that once you get to billing.microsoft.com to cancel your gold subscription (as directed in MS email), it directs you to xbox.com. It says you can change the autorenewal option to off once you get there.

    On xbox.com (us/international site) there is no way to cancel or turn autorenewal off, only buy more, and no indication on how you cancel. UK version of xbox site has no account info at all.

    Eventually a Google search revealed a phone number where one has to go through a tedious process to cancel.

    There is also no way to cancel from xbox itself, only buy more.

    A dirty way of doing business. Won't be using live again.

    1. Anonymous Coward
      Thumb Down

      #Cancel by ringing

      https://live.xbox.com/en-GB/accounts/MyAccount.aspx

      is where you turn off auto-renew, assuming you enabled it.

      If you want to downgrade to Silver (free) right now rather than at the end of your contract you need to ring. You won't get any money back though so there's no great advantage in doing so.

      Its simply because the charge is annual which is cheaper for them and therefore you, since they'd just pass the cost of collecting millions of subs monthly back to the customer anyway.

      >A dirty way of doing business. Won't be using live again.

      Its a fairly common payment model, although I suppose they could give you the option of paying a higher rate and taking it monthly.

  8. TJ 1
    Alert

    Microsoft has multiple certificate authorities

    The CA certificate used to issue the billing.microsoft.com certificate, valid for one year from 9th July 2010, has the key ID:

    08 42 e3 db 4e 11 66 f3 b5 08 c5 40 db 55 7c 33 46 11 83 38

    and the name "Microsoft Secure Server Authority".

    In Firefox 3.6/3.7 the current valid CA certificate for that name is valid for just under three years from 9th April 2008 and has the key ID:

    14 55 c4 39 e0 3d 2e d1 55 2e 48 96 b0 d8 7e 14 22 06 93 bc

    Looking at Firefox 4.0 beta 3 there are *no* Microsoft certificate authorities included in the default certificate store.

  9. JonJonJon
    FAIL

    Not a firefox problem ... ?

    Doesn't look like it's a firefox to me. Looks like MS trust their own billing-related root cert in Windows and/or IE and firefox doesn't trust it:

    jon@machine:~$ echo | openssl s_client -connect billing.microsoft.com:443 -CApath /etc/ssl/certs 1>/dev/null

    depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=Windows Live Operations/CN=billing.microsoft.com

    verify error:num=20:unable to get local issuer certificate

    verify return:1

    depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=Windows Live Operations/CN=billing.microsoft.com

    verify error:num=27:certificate not trusted

    verify return:1

    depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=Windows Live Operations/CN=billing.microsoft.com

    verify error:num=21:unable to verify the first certificate

    verify return:1

    DONE

    Or do other people have a billing.microsoft.com cert in their root certs?

  10. DEAD4EVER

    xbox billing site

    if hes trying to cancel his subscription then he might aswell let it expire if hes using those card number cards.but if hes using his credit card or somthing then it gets a little more tricky i personally dont use credit cards for xbox i use the digit cards but eventually when my xbox blows il be getten a ps3 cause im sick of microsoft and there money tactics paying for online when it should be free its a ripoff just like those microsoft points to and changing your name.

  11. Toby Rose

    Billing?

    Surely the issue here is having to pay to play games you've already paid money for?

  12. corrodedmonkee

    worried...

    Well, looking Chrome checks IE for certificates, the screen that pops up in Chrome when you view certificates looks... suspiciously like the IE one.

    I've had this exact same issue recently with my work. It's just the chain isn't set up properly. It's all well and good assuming your user has the certification authority etc installed. It might not.

    Firefox and Opera both error.

    And the chained certificates are both out of date.

    How exactly is this a Firefox problem and not a 'MS can't manage their servers or set up SSL properly' problem?

    1. Anonymous Coward
      Black Helicopters

      microsoft has a website

      that only responds to microsoft browser.

      no error.

      tactics

  13. Yorkshirepudding
    Troll

    the solution is simple

    play games for free on PSN

    I await the xbot flaming

  14. Kevin Bailey

    Something not right here...

    <quote>

    Chris Boyd, a security consultant at Sunbelt and Microsoft MVP who has studied the security of online gaming in some depth, confirmed the glitch.

    "It seems you get a cert error in Firefox 3.6.8 (the latest version), I don't have other versions to hand to try out," Boyd told El Reg.

    </quote>

    Studies online gaming 'in some depth' - but doesn't have VM's or whatever to test out different browser versions. How can someone be a Microsoft MVP and not have the basics covered?

  15. Anonymous Coward
    Anonymous Coward

    check your servers too...

    If you install IE Enhanced Security Configuration on your servers (i know 2k3 has this), your browser has all of Microsoft's sites (download/msn/update/windowsupdate) in its trusted sites list. If you use any 3rd party patch management tool, you should remove all of Microsoft's servers from the list (and the default, whereever it is kept).

  16. Goat Jam
    Troll

    Microsoft MVP

    You're lucky he had even one copy of Firefox available given that it's an application that doesn't carry the Redmond Seal Of Quality

This topic is closed for new posts.

Other stories you might like