[outages] Akamai Cert Issues today

joel jaeggli joelja at bogus.com
Fri Oct 2 18:40:40 EDT 2015 

On 10/2/15 1:31 PM, Christopher Thompson via Outages wrote:
> I’m not certain it’s related, but we began noticing anomalies a couple
> days ago on most Microsoft websites (Microsoft.com, MSDN, Technet, etc.)
> when trying to view them through our Sophos web security (proxy)
> appliance.  Many elements fail to load causing the sites to look like
> garbage.  When I try to download one of these elements from the Sophos
> appliance itself, I see the following certificate error:
> 
>  
> 
> WARNING: cannot verify i-msdn.sec.s-msft.com's certificate, issued by
> `/C=NL/L=Amsterdam/O=Verizon Enterprise
> Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1':
> 
>   Unable to locally verify the issuer's authority.
> 
>  
> 
> I can’t reproduce this error when loading the sites directly.  Only
> through the Sophos appliance.

Your appliance can't validate an intermediate ca which the browsers
keyring apparently can.

> Christopher Thompson
> IT INFRASTRUCTURE MANAGER
> (952)906-7491
> westwoodps.com
> 
>  
> 
> *From:*Outages [mailto:outages-bounces at outages.org] *On Behalf Of *Jim
> Witherell via Outages
> *Sent:* Thursday, October 1, 2015 7:10 AM
> *To:* outages at outages.org
> *Subject:* Re: [outages] Akamai Cert Issues today
> 
>  
> 
> Aside from finding ways to make it fail, my point is that casual users
> are complaining to the help desk about it. We can duplicate it
> externally at home and on mobile devices. 
> 
>  
> 
> Away from the debate about Akamai's issue that has evidently been out
> there awhile:
> 
> -We're wondering what happened yesterday to break all these disparate
> websites 
> 
> -We're wondering if anyone else is seeing the problem or are receiving
> unusually high volume of complaints about getting to certaincertain and
> unrelated https sites in the last 18 or so hours. 
> 
>  
> 
> Sent from Yahoo Mail on Android
> <https://overview.mail.yahoo.com/mobile/?.src=Android>
> 
> ------------------------------------------------------------------------
> 
> *From*:"Jay Ashworth via Outages" <outages at outages.org
> <mailto:outages at outages.org>>
> *Date*:Wed, Sep 30, 2015 at 11:21 PM
> *Subject*:Re: [outages] Akamai Cert Issues today
> 
> ----- Original Message -----
>> From: "Sean Donelan via Outages" <outages at outages.org <javascript:return>>
> 
>> This is how Akamai has handled non-SSL customers for the last 15 years.
>> It is the same error message, and the same action. You just noticed
>> it.
>>
>> If you use https for a non-SSL customer on Akamai, you will connect to
>> a Akamai server using a "default" SSL certificate for all customers on
>> port 443.
>>
>> If you use https for a SSL customer on Akamai, you connect to different
>> IP addresses listening for specific customers which return a customer
>> specific SSL certificate.
> 
> Doesn't that interact rather badly with HTTPS-Anywhere?
> 
> Or, more to the point, would it not already have done so to date, rather
> loudly?
> 
> Cheers,
> -- jra
> -- 
> Jay R. Ashworth                  Baylink                     
> jra at baylink.com <javascript:return>
> Designer                    The Things I Think                      RFC 2100
> Ashworth & Associates      http://www.bcp38.info
> <http://www.bcp38.info%20>        2000 Land Rover DII
> St Petersburg FL USA      BCP38: Ask For It By Name!          +1 727 647
> 1274
> 
> 
> _______________________________________________
> Outages mailing list
> Outages at outages.org <javascript:return>
> https://puck.nether.net/mailman/listinfo/outages
> 
>  
> 
>  
> 
> *Confidentiality Statement: *
> 
> This message and any attachments may contain confidential, proprietary
> or legally privileged information. Any unauthorized dissemination, use,
> or disclosure of this information, either in whole or in part, is
> strictly prohibited. The contents of this e-mail are for the intended
> recipient and are not meant to be relied upon by anyone else.  If you
> have received this message in error, please advise the sender by reply
> e-mail, and delete this message and any attachments.  Thank you.
> 
> 
> 
> _______________________________________________
> Outages mailing list
> Outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 229 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/outages/attachments/20151002/209f97dc/attachment.sig>

More information about the Outages mailing list