Yahoo web mail, Bing, Forefront TMG 2010 RC Outbound HTTPS Inspection and me(and some browsers) in need of a pair of glasses

Today I was behind a Forefront TMG 2010 RC firewall in a lab, browsing the web from a web proxy client(IE8 browser, manually configured proxy settings).

So I thought to go check my Yahoo web email.

Errrr…

ie8_mail_yahoo_error

 

So what happened ?
I use Bing rarely. Today it was one of those rarely times, and from laziness I’ve just searched with Bing ‘yahoo mail’:

yahoo_mail_bing

Turns out I wasn’t very attentive, and I’ve just clicked on the first search result, missing the ‘https’ in front of that link.
Bing indexed ‘https://mail.yahoo.com/’, which is not quite a good thing(there is an old discussion about this address and Yahoo web mail’s certificate).

 

“Normally”, on a Google search, the first result is for ‘http://mail.yahoo.com/’:

yahoo_mail_google

 

 

And if you click on this, a “pesky” redirection occurs to the “real https address”:

mail_yahoo_redirect

 

And the certificate for Yahoo’s web email is issued to ‘login.yahoo.com’(CN, no SAN entries):

mail_yahoo_cert

 

Since the Outbound HTTPS Inspection on Forefront TMG 2010 RC, by default, checks the server’s certificate, Forefront TMG RC 2010 denied the connection saying that(which is correct): Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.

tmg_mail_yahoo_log

 

 

Same thing (sort of) would have happened if I would have used Bing from a browser without TMG(and its Outbound HTTPS Inspection) on the path and go to this address:

ie8_mail_yahoo_error_direct

 

The difference here was that the error shown by IE8 behind Forefront TMG 2010 RC(while the Outbound HTTPS Inspection was one) was somehow ambiguous. If I check with Wireshark what Forefront TMG 2010 RC tells to the client, we can actually notice that it kinda’ makes sense what Forefront TMG 2010 RC replies to the client, but IE8 does not display this message, making the whole process somehow not user friendly, letting one wondering what has happened:

wr_mail_yahoo_error

Same story with other browsers:

- Google Chrome 3.x

chrome_mail_yahoo_error

 

- Firefox 3.5.x

ff_mail_yahoo_error

- Safari 4.x on Windows:

safari_win_mail_yahoo_error

 

However, Opera 10 is able to read that message and display it:

opera_mail_yahoo_error

 

References:

Comments are closed