Firefox & Pale Moon browser users have started facing connectivity issues when visiting Microsoft’s online services, such as Hotmail, Live, Outlook, OneDrive, and Bing. Pale Moon browser has published the reason behind it on its forum. They also published the workaround for this issue in the same forum.
Culprit behind the Microsoft connectivity issue
According to the Pale Moon’s owner and lead developer, the culprit is the misconfigured servers on Microsoft’s side, specifically their so-called “stapled OCSP responses”. OCSP stands for Online Certificate Status Protocol. It is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track.
The owner of the Pale Moon browser further describes what ‘stapled OCSP response’ is. The server certificates are used to verify the secure https connections. These certificates can be revoked by their creators before they expire for a number of reasons. It can be due to compromised private key or when the certificate is mis-issued by an unauthorized person. In order to revoke the certificates OCSP protocol is used.
During the stapled OCSP response, a secure server user is connecting to provides an authenticated (signed) response along with the certificate that verifies that it hasn’t been revoked. This mechanism helps reduce frequent revocation of certificates and it is a better way to handle certificate revocation checks.
It is a relatively short-lived OCSP response that gets sent along with the certificate information to a browser. The browser then verifies that the certificate is still valid without having to make extra connections or doing extra lookups for an OCSP server operated by the certificate authority. As the owner of Pale Moon browser mentions, the Stapled OCSP responses have been accepted and processed by all main web browsers since past few years, including Pale Moon browser, IE, Firefox, Opera, Chrome, and other Chromium-based browsers.
Pale Moon, Firefox users can’t connect to Outlook, Hotmail, Bing, OneDrive, Live
The Pale Moon forum explains why Pale Moon browser failed to connect with Microsoft online services.
“What happened is that the servers for the domains mentioned did not use the correct certificate chain to sign their stapled OCSP responses. As a result, connections to the related https servers started to fail.”
He further mentioned,
“From a browser’s point of view, this should be considered (very) bad, because it looks like some other party (not being the authority that issued the certificate) is trying to tell the browser that a certificate isn’t revoked. This party could be an attacker that is trying to use a revoked (mis-issued) certificate, for example.”
Firefox users are also reporting receiving the following error when trying to log into Microsoft online services:
Secure Connection Failed. An error occurred during a connection to outlook.live.com. Invalid OCSP signing certificate in OCSP response.
Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
Workaround
This workaround will help Firefox & Pale Moon browser users to connect to Hotmail, Outlook or Live accounts:
- In the address bar, type about:config and press Enter.
- Confirm the warning that is presented and that you’ll be careful.
- In the list of preferences, find security.ssl.enable_ocsp_stapling
- Double-click the line to set the value to false
You can check the current status here. So till a fix is released, you may need to use this workaround. Hope this helps!
