Hi, On Mon, 11 May 2020 10:53:26 +0200 Hanno Böck via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> I did some checks on certificates and their AIA sections and noticed > that several Microsoft certificates were referencing intermediate > certificates in the "CA Issuer" field that give a 403 error. > > http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%201.crt > http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%202.crt > http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%204.crt > http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%205.crt So there's a somewhat unexpected update here: After communicating with Microsoft it turns out this is due to user agent blocking, the URLs can be accessed, but not with a wget user agent. Microsoft informed me that "the wget agent is explicitly being blocked as a bot defense measure." I leave it up to the community to discuss whether this is acceptable. I stronly feel it's not and I feel that this is public information that should be accessible without any hurdles, and there's no need to have any "bot defense" on a static file that should be public information. -- Hanno Böck https://hboeck.de/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy