{"id":116,"date":"2012-06-17T17:16:00","date_gmt":"2012-06-18T01:16:00","guid":{"rendered":"http:\/\/unmitigatedrisk.com\/?p=116"},"modified":"2012-06-18T15:10:59","modified_gmt":"2012-06-18T23:10:59","slug":"a-look-at-the-new-windows-update-ssl-certificates","status":"publish","type":"post","link":"https:\/\/unmitigatedrisk.com\/?p=116","title":{"rendered":"A look at the new Windows Update SSL certificates"},"content":{"rendered":"<p>This morning I noticed a tweet by <a href=\"https:\/\/twitter.com\/#!\/search\/mikko\">Mikko<\/a> about the <a href=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wuchain.p7b.txt\">Windows Update certificate chain<\/a>\u00a0looking odd so I decided to take a look myself.<\/p>\n<p>I started with the webserver configuration using\u00a0<a href=\"https:\/\/www.ssllabs.com\/ssltest\/analyze.html?d=www.update.microsoft.com\">SSLLABS<\/a>, unfortunately it did not fare well:<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/ssllabswwwupdatemicrosoftcom.png\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"98\" class=\"alignnone size-medium wp-image-117\" title=\"ssllabswwwupdatemicrosoftcom\" src=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/ssllabswwwupdatemicrosoftcom-300x98.png\" alt=\"\" srcset=\"https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/ssllabswwwupdatemicrosoftcom-300x98.png 300w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/ssllabswwwupdatemicrosoftcom-455x150.png 455w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/ssllabswwwupdatemicrosoftcom.png 911w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Looking a little closer we see a few things of interest:<\/p>\n<ul>\n<li>SSLLABS is unable to validate the certificate<\/li>\n<li>The server is using weak ciphers<\/li>\n<li>The server is vulnerable to the BEAST attack<\/li>\n<li>The server is not using an Extended Validation\u00a0 (EV) Certificate<\/li>\n<li>The server is supporting SSL 2.0<\/li>\n<\/ul>\n<p>To understand the specifics here we needed to look a little deeper, the OpenSSL s_client is a great tool for this:<\/p>\n<blockquote><p>openssl s_client \u2013showcerts -status \u2013connect www.update.microsoft.com:443<\/p>\n<p>Loading &#8216;screen&#8217; into random state &#8211; done<\/p>\n<p>CONNECTED(0000017C)<\/p>\n<p>OCSP response: no response sent<\/p>\n<p>depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Update Secure Server CA 1<\/p>\n<p>verify error:num=20:unable to get local issuer certificate<\/p>\n<p>verify return:0<\/p>\n<p>&#8212;<\/p>\n<p>Certificate chain<\/p>\n<p>0 s:\/C=US\/ST=Washington\/L=Redmond\/O=Microsoft\/OU=WUPDS\/CN=www.update.microsoft.com<\/p>\n<p>i:\/C=US\/ST=Washington\/L=Redmond\/O=Microsoft Corporation\/CN=Microsoft Update Secure Server CA 1<\/p>\n<p>1 s:\/C=US\/ST=Washington\/L=Redmond\/O=Microsoft Corporation\/CN=Microsoft Update Secure Server CA 1<\/p>\n<p>i:\/DC=com\/DC=microsoft\/CN=Microsoft Root Certificate Authority<\/p>\n<p>&#8212;<\/p>\n<p>Server certificate<\/p>\n<p>&#8212;&#8211;BEGIN CERTIFICATE&#8212;&#8211;<\/p>\n<p>MIIF4TCCA8mgAwIBAgITMwAAAAPxs7enAjT5gQAAAAAAAzANBgkqhkiG9w0BAQUF<\/p>\n<p>&#8230;<\/p>\n<p>&#8212;&#8211;END CERTIFICATE&#8212;&#8211;<\/p>\n<p>1 s:\/C=US\/ST=Washington\/L=Redmond\/O=Microsoft Corporation\/CN=Microsoft Update S<\/p>\n<p>ecure Server CA 1<\/p>\n<p>i:\/DC=com\/DC=microsoft\/CN=Microsoft Root Certificate Authority<\/p>\n<p>&#8212;&#8211;BEGIN CERTIFICATE&#8212;&#8211;<\/p>\n<p>MIIGwDCCBKigAwIBAgITMwAAADTNCXaXRxx1YwAAAAAANDANBgkqhkiG9w0BAQUF<\/p>\n<p>&#8230;<\/p>\n<p>&#8212;&#8211;END CERTIFICATE&#8212;&#8211;<\/p>\n<p>subject=\/C=US\/ST=Washington\/L=Redmond\/O=Microsoft\/OU=WUPDS\/CN=www.update.microsoft.com issuer=\/C=US\/ST=Washington\/L=Redmond\/O=Microsoft Corporation\/CN=Microsoft Update<\/p>\n<p>Secure Server CA 1<\/p>\n<p>&#8212;<\/p>\n<p>No client certificate CA names sent<\/p>\n<p>&#8212;<\/p>\n<p>SSL handshake has read 3403 bytes and written 536 bytes<\/p>\n<p>&#8212;<\/p>\n<p>New, TLSv1\/SSLv3, Cipher is AES128-SHA<\/p>\n<p>Server public key is 2048 bit<\/p>\n<p>Secure Renegotiation IS supported<\/p>\n<p>Compression: NONE<\/p>\n<p>Expansion: NONE<\/p>\n<p>SSL-Session:<\/p>\n<p>Protocol\u00a0 : TLSv1<\/p>\n<p>Cipher\u00a0\u00a0\u00a0 : AES128-SHA<\/p>\n<p>Session-ID: 33240000580DB2DE3D476EDAF84BEF7B357988A66A05249F71F4B7C90AB62986<\/p>\n<p>&nbsp;<\/p>\n<p>Session-ID-ctx:<\/p>\n<p>Master-Key: BD56664815654CA31DF75E7D6C35BD43D03186A2BDA4071CE188DF3AA296B1F9674BE721C90109179749AF2D7F1F6EE5<\/p>\n<p>Key-Arg\u00a0\u00a0 : None<\/p>\n<p>PSK identity: None<\/p>\n<p>PSK identity hint: None<\/p>\n<p>Start Time: 1339954151<\/p>\n<p>Timeout\u00a0\u00a0 : 300 (sec)<\/p>\n<p>Verify return code: 20 (unable to get local issuer certificate)<\/p>\n<p>&#8212;<\/p>\n<p>read:errno=10054<\/p>\n<p>&nbsp;<\/p><\/blockquote>\n<p>With this detail we can also look at the certificates with the Windows Certificate viewer, we just extract the server certificate Base64 and put it into a text file with a .cer extension and open it with Explorer:<\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"319\">\u00a0<a href=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"241\" height=\"300\" class=\"alignnone size-medium wp-image-118\" title=\"wucert1\" src=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert1-241x300.png\" alt=\"\" srcset=\"https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert1-241x300.png 241w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert1-120x150.png 120w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert1.png 419w\" sizes=\"auto, (max-width: 241px) 100vw, 241px\" \/><\/a><\/td>\n<td valign=\"top\" width=\"319\">\u00a0<a href=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"241\" height=\"300\" class=\"alignnone size-medium wp-image-119\" title=\"wucert2\" src=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert2-241x300.png\" alt=\"\" srcset=\"https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert2-241x300.png 241w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert2-120x150.png 120w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert2.png 419w\" sizes=\"auto, (max-width: 241px) 100vw, 241px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"319\">\u00a0<a href=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"241\" height=\"300\" class=\"alignnone size-medium wp-image-120\" title=\"wucert3\" src=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert3-241x300.png\" alt=\"\" srcset=\"https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert3-241x300.png 241w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert3-120x150.png 120w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert3.png 419w\" sizes=\"auto, (max-width: 241px) 100vw, 241px\" \/><\/a><\/td>\n<td valign=\"top\" width=\"319\">\u00a0<a href=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert4.png\"><img loading=\"lazy\" decoding=\"async\" width=\"241\" height=\"300\" class=\"alignnone size-medium wp-image-121\" title=\"wucert4\" src=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert4-241x300.png\" alt=\"\" srcset=\"https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert4-241x300.png 241w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert4-120x150.png 120w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert4.png 419w\" sizes=\"auto, (max-width: 241px) 100vw, 241px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"319\">\u00a0<a href=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert5.png\"><img loading=\"lazy\" decoding=\"async\" width=\"241\" height=\"300\" class=\"alignnone size-medium wp-image-122\" title=\"wucert5\" src=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert5-241x300.png\" alt=\"\" srcset=\"https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert5-241x300.png 241w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert5-120x150.png 120w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert5.png 419w\" sizes=\"auto, (max-width: 241px) 100vw, 241px\" \/><\/a><\/td>\n<td valign=\"top\" width=\"319\">\u00a0<a href=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert6.png\"><img loading=\"lazy\" decoding=\"async\" width=\"241\" height=\"300\" class=\"alignnone size-medium wp-image-123\" title=\"wucert6\" src=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert6-241x300.png\" alt=\"\" srcset=\"https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert6-241x300.png 241w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert6-120x150.png 120w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wucert6.png 419w\" sizes=\"auto, (max-width: 241px) 100vw, 241px\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>From these we see a few additional things:<\/p>\n<ul>\n<li>OCSP Stapling is not enabled on the server<\/li>\n<li>The issuing CA was created on 5\/30\/2012 at 8:49pm<\/li>\n<li>The issuing CA was issued by the 2001 SHA1 \u201cMicrosoft Root Authority\u201d<\/li>\n<\/ul>\n<p>So with this extra information let\u2019s tackle each of these observations and see what conclusions we come to.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>SSLLABS is unable to validate the certificate<\/strong>; there are two possible reasons:<\/p>\n<p style=\"padding-left: 30px;\">a. The server isn\u2019t including the intermediate certificates (it is) and SSLLABS doesn\u2019t chase intermediates specified in the AIA:IssuerCert extension (doubt it does) or that extension isn\u2019t present (it is).<\/p>\n<p style=\"padding-left: 30px;\">b. The Root CA isn\u2019t trusted by SSLLABS (which appears to be the case here).<\/p>\n<p>My guess based on this is that Ivan only included the certificates in the \u201cThird-Party Root Certification Authorities\u201d store and did not include those in the \u201cTrusted Root Certification Authorities\u201d <a href=\"http:\/\/support.microsoft.com\/kb\/293781\">which are required for Windows to work.<\/a><\/p>\n<p>Basically he never expected these Roots to be used to authenticate a public website.<\/p>\n<p><em><strong>[2:00 PM 6\/18\/2012] Ivan has confirmed he currently only checks the Mozilla trusted roots, therefor this root\u00a0wouldn&#8217;t\u00a0be trusted by SSLLABS.<\/strong><\/em><\/p>\n<p>Microsoft\u2019s decision to use this roots means that any browser that doesn\u2019t use the CryptoAPI certificate validation functions (Safari, Opera, Chrome on non-Windows platforms, Firefox, etc.) will fail to validate this certificate.<\/p>\n<p>This was probably done to allow them to do pinning using the <a href=\"http:\/\/unmitigatedrisk.com\/?p=80\">\u201cMicrosoft\u201d policy in CertVerifyCertificateChainPolicy<\/a>.<\/p>\n<p>I believe this was not the right approach since I think it\u2019s probably legitimate to use another browser to download patches.<\/p>\n<p><em><strong>[2:00 PM 6\/18\/2012] The assumption in this statement (and it may turn out I am wrong) is that it is possible for someone to reach a path where from a browser they can download patches; its my understanding this is an experience that XP machines using a different browser have when visiting this URL I &#8212; I have not verified this.<\/strong><\/em><\/p>\n<p><em><strong>[3:00 PM 6\/18\/2012] Harry says that you have not been able to download from these URLs without IE ever, so this would be a non-issue if that is the case.<\/strong><\/em><\/p>\n<p>To address this Microsoft would need to either:<\/p>\n<ul>\n<li>Have their PKI operate in accordance with the requirements that other CAs have to meet and be audited and be found to meet the requirements of each of the root programs that are out there.<\/li>\n<li>Have two separate URLs and certificate chains one for the website anchored under a publicly trusted CA and another under this private \u201cProduct\u201d root. The manifests would be downloaded from the \u201cProduct\u201d root backed host and the web experience would be from the \u201cPublic\u201d root backed host.<\/li>\n<li>Cross certifying the issuing CA \u201cMicrosoft Update Secure Server CA 1\u201d under a public CA also (cross certification), for example under their IT root that is publically trusted and include that intermediate in the web server configuration also. Then have a CertVerifyCertificateChainPolicy implementation that checks for that CA instead of the \u201cProduct\u201d roots.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>The server is using weak ciphers; <\/strong>the server is using several weak ciphers: <strong><\/strong><\/p>\n<p><a href=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wuciphersuites.png\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"106\" class=\"alignnone size-medium wp-image-124\" title=\"wuciphersuites\" src=\"http:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wuciphersuites-300x106.png\" alt=\"\" srcset=\"https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wuciphersuites-300x106.png 300w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wuciphersuites-423x150.png 423w, https:\/\/unmitigatedrisk.com\/wp-content\/uploads\/2012\/06\/wuciphersuites.png 766w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong><br \/>\n<\/strong><\/p>\n<p>I see no reason to support the MD5 based ciphers as I find it hard to believe that there are any clients that can communicate with this site that do not support their SHA1 equivalents.<\/p>\n<p>&nbsp;<\/p>\n<p><em><strong>[2:00 PM 6\/18\/2012] I have been told I am too\u00a0critical\u00a0by calling these MD5 based ciphers as weak in that they are used as HMAC, it is true that when used with a key as is the case with HMAC the current attacks are not relevant. With that said any client that supports these suites will also support their SHA1 counterpart and there is no reason to support the weaker suites that use MD5.<\/strong><\/em><\/p>\n<p>&nbsp;<\/p>\n<p><strong>The server is vulnerable to the BEAST attack<\/strong>; and SSLLABS isn\u2019t able to tell <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc766285(v=WS.10).aspx\">if the server is specifying a cipher suite preference<\/a>, this means it probably is not.<\/p>\n<p>It is the cipher suite ordering issue that is actually resulting in the warning about the BEAST attack though. <a href=\"http:\/\/www.phonefactor.com\/resources\/CipherSuiteMitigationForBeast.pdf\">It is addressed by putting RC4 cipher suites at the top of the cipher suite order list<\/a>.<\/p>\n<p><em><strong>[2:00 PM 6\/18\/2012] It&#8217;s been argued the BEAST attack\u00a0isn&#8217;t\u00a0relevant here because the client is normally not a browser, these pages that are returned do contain JS and there are cases where users visit it via the browser &#8212; otherwise there would not be HTML and JS in them. As such the attacker could use the attack to influence you to install malicious content as if it came from Microsoft. Maybe its not a leakage of personal information initially but its an issue.<\/strong><\/em><\/p>\n<p>&nbsp;<\/p>\n<p><strong>It is not using an Extended Validation (EV) Certificate; <\/strong>this is an odd one, is an <a href=\"http:\/\/en.wikipedia.org\/wiki\/Extended_Validation_Certificate\">EV certificates<\/a> necessary when someone is attesting to their own identity? Technically I would argue no, however no one can reasonably expect a user to go and look at a certificate chain and be knowledgeable enough to that this is what is going on.<\/p>\n<p>The only mechanism to communicate the identity to the user in as clear a way is to make the certificate be an EV certificate.<\/p>\n<p>Microsoft really should re-issue this certificate as an EV certificate \u2013 if there was ever a case to be sure who you are talking to it would certainly include when you are installing kernel mode drivers.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>The server is supporting SSL 2.0;<\/strong> this also has to be an oversight in the servers configuration of SSL 2.0 has been known to have numerous security issues for some time.<\/p>\n<p>They need to <a href=\"http:\/\/support.microsoft.com\/kb\/187498\">disable this weak version of SSL<\/a>.<strong><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><strong>OCSP Stapling is not enabled on the server<\/strong>; <a href=\"http:\/\/unmitigatedrisk.com\/?p=95\">OCSP stapling<\/a> allows a webserver to send its own revocations status along with its certificate improving performance, reliability and privacy for revocation checking. According to <a href=\"file:\/\/uptime.netcraft.com\/up\/graph?site=www.update.microsoft.com\">Netcraft Windows Update<\/a> is running on IIS 7 which supports it by default.<\/p>\n<p>This means Microsoft is either not allowing these web servers to make outbound connections or they have explicitly disabled this feature (login.live.com has it enabled and working). While it is not a security issue per-se enabling it certainly is a best practice and since it\u2019s on by default it seems they are intentionally not doing it for some reason.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>The issuing CA was created on 5\/30\/2012 at 8:49pm<\/strong>; this isn\u2019t a security issue but it\u2019s interesting that the issuing CA was created four days before the <a href=\"http:\/\/blogs.technet.com\/b\/msrc\/archive\/2012\/06\/03\/microsoft-releases-security-advisory-2718704.aspx\">Flame Security advisory<\/a>. It was a late night for the folks operating the CA.<\/p>\n<p>&nbsp;<\/p>\n<p>That&#8217;s it for now,<\/p>\n<p>&nbsp;<\/p>\n<p>Ryan<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This morning I noticed a tweet by Mikko about the Windows Update certificate chain\u00a0looking odd so I decided to take a look myself. I started with the webserver configuration using\u00a0SSLLABS, unfortunately it did not fare well: Looking a little closer we see a few things of interest: SSLLABS is unable to validate the certificate The [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,4],"tags":[21,16,33,17,25,22,27,168,6,19],"class_list":["post-116","post","type-post","status-publish","format-standard","hentry","category-security","category-thoughts","tag-best-practices","tag-ca","tag-iis","tag-microsoft","tag-ocsp","tag-openssl","tag-pki","tag-security","tag-ssl","tag-x509"],"_links":{"self":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=116"}],"version-history":[{"count":0,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/116\/revisions"}],"wp:attachment":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}