Xbox Live billing site snubs Firefox
Credentials invalid. Game over
Customers visiting an Xbox Live billing site with Firefox are liable to get a false warning that Microsoft's digital certificate is "invalid".
The certificate is fine and IE users are unaffected by the glitch, which represents the reappearance of an intermittent bug limited to gamers who use Mozilla's open source browser.
Reg reader Gordon, who gave us the heads up about the snafu, explained that he came across it in the process of trying to cancel his X-Box Live Gold account. After firing up Firefox, he was greeted by a confusing and unhelpful error message (extract below).
You have asked Firefox to connect securely to billing.microsoft.com, but we can't confirm that your connection is secure…billing.microsoft.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown.
Chris Boyd, a security consultant at Sunbelt and Microsoft MVP who has studied the security of online gaming in some depth, confirmed the glitch.
"It seems you get a cert error in Firefox 3.6.8 (the latest version), I don't have other versions to hand to try out," Boyd told El Reg. "[It] Works in IE, and the cert is viewable."
The latest problem appears to be a repeat of earlier glitches, such as one two years ago that affected "Firefox 3", he said. Reports of the problem from August 2008 can be found on gaming forums here.
The bug reappeared last month, according to a notice on a Mozilla support forum.
"There are a few other examples of this on the web, but nobody seems to have a definite answer," Boyd added.
We've passed on the details of the problem to Microsoft's Xbox team and will update this story when we hear more. ®
COMMENTS
Can only cancel by ringing
I encountered the same issue.
However the bigger problem was that once you get to billing.microsoft.com to cancel your gold subscription (as directed in MS email), it directs you to xbox.com. It says you can change the autorenewal option to off once you get there.
On xbox.com (us/international site) there is no way to cancel or turn autorenewal off, only buy more, and no indication on how you cancel. UK version of xbox site has no account info at all.
Eventually a Google search revealed a phone number where one has to go through a tedious process to cancel.
There is also no way to cancel from xbox itself, only buy more.
A dirty way of doing business. Won't be using live again.
No, that's not the issue.
No, that's not the issue - You didn't check your facts before commenting any more than the "expert" in the story did.
If you browse to the site in Firefox, the cert is issued by the following CA;
CN = Microsoft Secure Server Authority
DC = redmond
DC = corp
DC = microsoft
DC = com
If you browse to it in IE8, the cert provided was issued by the "Verisign Class 3 Public Primary Certification Authority - G5", a known global CA trusted by both IE and Firefox.
So Microsoft have some sort of load balancers / reverse proxies in front of their webservers which serve content differently based on browser type. One group of servers uses an invalid cert, signed by a non-globally trusted CA, the others don't, they use a valid cert signed by a globally trusted CA.
This is a mistake by Microsoft, not Mozilla / Firefox, but the mistake is not that Microsoft browsers have a non-trusted CA in their cert trust list. Check before jumping to conclusions.
Except
That cert / CA has nothing to do with the article, people are not psychic, and so cannot connect your non-sequitur with anything that went before.
If that's the point you intended to make with your previous post, you failed to do so.
It's also hardly surprising that Microsoft trusts it's own CA servers. Would you expect them not to? There's no implication anyone else should trust Microsoft.
For clarity, the cert presented by the site is not signed by that CA.
the solution is simple
play games for free on PSN
I await the xbot flaming
