[outages] Akamai Cert Issues today

Fri Oct 2 16:31:06 EDT 2015

I'm not certain it's related, but we began noticing anomalies a couple days ago on most Microsoft websites (Microsoft.com, MSDN, Technet, etc.) when trying to view them through our Sophos web security (proxy) appliance.  Many elements fail to load causing the sites to look like garbage.  When I try to download one of these elements from the Sophos appliance itself, I see the following certificate error:

WARNING: cannot verify i-msdn.sec.s-msft.com's certificate, issued by `/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1':
  Unable to locally verify the issuer's authority.

I can't reproduce this error when loading the sites directly.  Only through the Sophos appliance.

Christopher Thompson
IT INFRASTRUCTURE MANAGER
(952)906-7491
westwoodps.com

From: Outages [mailto:outages-bounces at outages.org] On Behalf Of Jim Witherell via Outages
Sent: Thursday, October 1, 2015 7:10 AM
To: outages at outages.org
Subject: Re: [outages] Akamai Cert Issues today

Aside from finding ways to make it fail, my point is that casual users are complaining to the help desk about it. We can duplicate it externally at home and on mobile devices.

Away from the debate about Akamai's issue that has evidently been out there awhile:
-We're wondering what happened yesterday to break all these disparate websites
-We're wondering if anyone else is seeing the problem or are receiving unusually high volume of complaints about getting to certaincertain and unrelated https sites in the last 18 or so hours.

Sent from Yahoo Mail on Android<https://overview.mail.yahoo.com/mobile/?.src=Android>

________________________________
From:"Jay Ashworth via Outages" <outages at outages.org<mailto:outages at outages.org>>
Date:Wed, Sep 30, 2015 at 11:21 PM
Subject:Re: [outages] Akamai Cert Issues today
----- Original Message -----
> From: "Sean Donelan via Outages" <outages at outages.org<javascript:return>>

> This is how Akamai has handled non-SSL customers for the last 15 years.
> It is the same error message, and the same action. You just noticed
> it.
>
> If you use https for a non-SSL customer on Akamai, you will connect to
> a Akamai server using a "default" SSL certificate for all customers on
> port 443.
>
> If you use https for a SSL customer on Akamai, you connect to different
> IP addresses listening for specific customers which return a customer
> specific SSL certificate.

Doesn't that interact rather badly with HTTPS-Anywhere?

Or, more to the point, would it not already have done so to date, rather
loudly?

Cheers,
-- jra
--
Jay R. Ashworth                  Baylink                      jra at baylink.com<javascript:return>
Designer                    The Things I Think                      RFC 2100
Ashworth & Associates      http://www.bcp38.info <http://www.bcp38.info%20>         2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!          +1 727 647 1274

_______________________________________________
Outages mailing list
Outages at outages.org<javascript:return>
https://puck.nether.net/mailman/listinfo/outages

Confidentiality Statement:
This message and any attachments may contain confidential, proprietary or legally privileged information. Any unauthorized dissemination, use, or disclosure of this information, either in whole or in part, is strictly prohibited. The contents of this e-mail are for the intended recipient and are not meant to be relied upon by anyone else.  If you have received this message in error, please advise the sender by reply e-mail, and delete this message and any attachments.  Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20151002/9ccc740d/attachment.htm>