Slashdot Mirror

← Back to Stories (view on slashdot.org)

Making Sense of Mismatched Certificates?

Posted by timothy on from the continue-anyway dept.

Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.

Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.

I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.

So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"

12 of 322 comments (clear)

  1. No by Romancer · · Score: 4, Funny

    It's all a scam and we're all laughing at you. While spending your money. Thanks for the good times.

    --


    ) Human Kind Vs Human Creation
    ) It'd be interesting to see how many humans would survive to serve us.
  2. Re:Not nothing. by Anonymous Coward · · Score: 5, Funny

    Dude, post your login details and I'll check it out for you.

  3. Pure genius! Say the quiet part loud! by synthesizerpatel · · Score: 5, Funny

    This reminds me of an story. A friend and I were moving a heavy couch and at an inopportune time he got flustered and said 'Hold on, we need to put this down and take a break'. We did, finished moving it later and that was that.

    About 6 months later out of the blue he explained to me that he had to put the couch down because the apparently strained a bit too hard and pooped his pants.

    I have no idea why he told me, much less told me 6 months later. He was kind of a weird guy.

    The moral of this story is:

    If you do something embarassing or stupid and privately get away with it, don't tell anyone.

  4. significant spaces by poot_rootbeer · · Score: 3, Funny

    What is "Cap It Alone"?

    Doesn't sound like a website I'd entrust my financial information to...

  5. Re:Not nothing. by Anonymous Coward · · Score: 0, Funny

    Here they are:

    IP: 127.0.0.1
    User: Trollfag
    Pass: ILikeBigDicksAndILikeEmHard

  6. Re:Not nothing. by alta · · Score: 2, Funny

    No no no, at godaddy they're only 29.95!!!! Only the highest quality stuff for the bank!

    --
    Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
  7. Re:Not nothing. by s0abas · · Score: 3, Funny

    Wait, did you just call _yourself_ a Trollfag?

  8. Re:Not nothing. by tkw954 · · Score: 4, Funny

    Dude, post your login details and I'll check it out for you.

    My login details are username:tkw954 password:*********

    Hey that's weird. Slashdot must automatically replace your pw with stars.

  9. Re:Not nothing. by Daimanta · · Score: 5, Funny

    You can hunter2 my hunter2ing hunter2. You can't see hunter2!

    --
    Knowledge is power. Knowledge shared is power lost.
  10. Re:Not nothing. by Anonymous Coward · · Score: 1, Funny

    Consider something that looks like like:
    https://onlinebanking.capitalone.com/login/.tsdk.cn?login

    The whole first part could be the host name: "onlinebanking.capitalone.com/login/" and the domain is actually "tsdk.cn". This would be using the UNICODE symbol for mathematical division that looks like a forward slash

    Which is why everyone should only use english with 7-bit ascii on the internets. Security is much better for everyone!

  11. capitalone.com by 6Yankee · · Score: 2, Funny

    What's "capping it", and why would I want to do it alone?

  12. Re:Not nothing. by noidentity · · Score: 3, Funny

    You can ********* my *********ing *********. You can't see *********!

    That's odd, it shows a different number of stars than your password really is. Guess that's to avoid giving even its length away. Clever!