SSL Certificate Analysis for msftstatic.com - Security Grade & TLS Configuration

SSL Verification Bypassed

The server's SSL certificate could not be verified. The analysis was completed using insecure mode. Data may be less reliable.

Reason:

Hostname Mismatch - certificate is issued for *.platform.bing.com, *.bing.com, bing.com, ieonline.microsoft.com, *.windowssearch.com, cn.ieonline.microsoft.com, *.origin.bing.com, *.mm.bing.net, *.api.bing.com, not for msftstatic.com

Open Cached · just now

74/100 SECURITY SCORE

Certificate Information

Subject

C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=www.bing.com

Issuer

C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 04

Valid From

December 16, 2025

Valid Until

June 14, 2026 141 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA384-RSA

SHA-256 Fingerprint

D0:AC:6B:45:B9:2C:EC:35:CC:09:B3:CB:4F:77:11:93:75:BF:B7:D1:3B:3D:31:C6:7F:67:5D:38:EB:99:98:4A

Alternative Names

67 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Missing

Not configured

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Add Strict-Transport-Security header with max-age of at least 1 year
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Configured (Restricts certificate issuance)

Current Issuer

Not Authorized (Potential misconfiguration)

Authorized CAs

digicert.com globalsign.com microsoft.com

CAA Issues

• CRITICAL: Current certificate issuer 'C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 04' is NOT authorized by CAA records. Authorized CAs: digicert.com, globalsign.com, microsoft.com

Recommendations

• Consider using critical flag (flags=128) for stricter CAA enforcement
• Consider adding 'iodef' records to receive notifications about unauthorized certificate issuance attempts
• Consider adding 'issuewild' records to control wildcard certificate issuance

Subject Alternative Names

67 domains

*.api.bing.com *.appex.bing.com bing.com *.bing.com *.cn.bing.com *.dict.bing.com global.bing.com *.m.bing.com *.origin.bing.com *.platform.bing.com *.platform.cn.bing.com r.bat.bing.com *.r.bat.bing.com ssl-api.bing.com *.ssl.bing.com wp.m.bing.com www.bing.com

*.api.bing.net *.cn.bing.net *.mm.bing.net ssl-api.bing.net

*.bingapis.com

bingsandbox.com *.bingsandbox.com

3d.live.com api.search.live.com *.api.tiles.ditu.live.com beta.search.live.com cnweb.search.live.com ditu.live.com farecast.live.com image.live.com images.live.com local.live.com localsearch.live.com ls4d.search.live.com mail.live.com mapindia.live.com maps.live.com mindia.live.com news.live.com origin.cnweb.search.live.com preview.local.live.com search.live.com *.t0.tiles.ditu.live.com *.t1.tiles.ditu.live.com *.t2.tiles.ditu.live.com *.t3.tiles.ditu.live.com test.maps.live.com video.live.com videos.live.com virtualearth.live.com wap.live.com webmaster.live.com webmasters.live.com

local.live.com.au maps.live.com.au www.local.live.com.au www.maps.live.com.au

cn.ieonline.microsoft.com feedback.microsoft.com ieonline.microsoft.com

search.msn.com

insertmedia.bing.office.net

ecn.dev.virtualearth.net

windowssearch.com *.windowssearch.com