Internet Explorer 6 had a local list of trusted certificate authorities, when accessing a secure website, it would check locally if the certificate is valid and return right away to the user. When Internet Explorer 7 was released, it came with a new idea, the list came empty and IE7 had to communicate with Microsoft datacenter to check it’s status.

If it is valid, then it will show a green background in the URL prompt, if it’s not or it could not communicate with the datacenter, it will show a red background in the URL prompt and a warning page will appear explaining that it is not recommended or secure to proceed.

Hotspots operators work in a very common way, they block all the traffic until you authenticate, everytime you try to access a website, you’ll be redirected to a captive portal, there you can type your username and password and finally have full access to the internet.

If it’s a good hotspot operator, the captive portal will be secure, but before showing the page, IE7 needs to check if the certificate is valid and you are not authenticated yet. All the packets are dropped, no answer comes and you’ll see the red page warning you.

Walled garden is a common solution for similar problems, where you need to communicate with a host before authenticating. In this case, you need to communicate with Microsoft to check if your certificate is valid. Sniff IE7 communicating with the datacenter, find the host and port and unblock it.

By that time we’ve identified that it was the same host used by Windows Update client. Imagine the structure needed to handle all the users of the world trying to update their windows or checking if a certificate is valid.

We ran a script for days to register the number of hundreds of servers and there was more, Microsoft had a load balacing solution based on the DNS, every fifteen seconds or less the ip of the host changes, this way they are able to balance requisitions.

Obviously we had to use another solution to make the communication with Microsoft possible before authentication. Our certificate was valid, there was no reason for the user to see that red page. It’s a browser that owns more then half of the market and it was a very complicated problem to fix by that time. I had long talks with Microsoft engineers about this issue until they could find a solution. That’s how a software release from a major company and a very silly problem could break a global and mature business segment.

If you enjoyed this post, make sure you subscribe to my RSS feed!