Slashdot Mirror

← Back to Stories (view on slashdot.org)

Making Sense of Mismatched Certificates?

Posted by timothy on from the continue-anyway dept.

Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.

Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.

I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.

So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"

10 of 322 comments (clear)

  1. Not nothing. by mnslinky · · Score: 5, Informative

    This is a misconfiguration on their end. EV certificates, the ones that turn your address bar green and coax turtles into doing happy dances, are really expensive. It's my guess that they've either reused a certificate on another system, or one of their developers made a mistake in how the site and server cluster is configured. It's certainly something to complain about.

    If you're ever in doubt about the validity of the certificate or security of a transaction, however, DON'T DO IT!. This goes for standing at an ATM in a shady neighborhood or doing business online.

    1. Re:Not nothing. by Anonymous Coward · · Score: 5, Informative

      Well, it's good to worry any time there is a mismatch. It can be easy to fake legitimate looking URL's using UNICODE characters and such.

      Consider something that looks like like:
      https://onlinebanking.capitalone.com/login/.tsdk.cn?login

      The whole first part could be the host name: "onlinebanking.capitalone.com/login/" and the domain is actually "tsdk.cn". This would be using the UNICODE symbol for mathematical division that looks like a forward slash. It looks like a capitalone.com domain even though you're going through some scammer site. Marlinspike talked about this exact attack at Blackhat 09.

    2. Re:Not nothing. by GoRK · · Score: 4, Informative

      No CA is (currently) issuing wildcard EV certs. I personally understand the convenience of the wildcard cert, but I do also accept and support the practice of disallowing wildcards in high security applications.

      EV certificates are available with multiple Subject Alternative Names, though so the whole "dropped www." or a couple of virtual shouldn't be a big deal if things are done correctly. Unfortunately they aren't and some sites (paypal) that are using EV SSL certs don't even bother with this simple feature.

      The correct failsafe implementation which will always result in a no-prompt situation is to ensure that you only deploy EV certificates on an IP addresses that have only one DNS name. You then deploy a frontend redirection server on a second IP using a wildcard SSL cert that occupies the alternative dns names for the namespace of the original app. This server will pass cert checks more easily and then redirect to the EV server with its specific dns name which will then show the green bar. Any existing deep links to the application on an incorrect DNS name will be handled correctly and any direct references will work in the future. There are of course implications for securing said redirection proxy, but they aren't really that hard to overcome.

  2. Answers by girlintraining · · Score: 4, Informative

    Hello, IT, have you tried turning it off and back on again?
    Ah... another tech support call. Sure, what's the problem?

    Are the certificates a mismatch or is my browser bellyaching for nothing?

    Yes. And maybe yes too.

    Is the certificate mismatch a security hazard?

    Common sense would suggest it wouldn't be in a big popup dialog labeled "WARNING" if it wasn't.

    If someone poisoned my local DNS routers would it be obvious in the URL?

    No.

    How would I prevent such a thing?

    Stop clicking "Okay" or "Yes" to every security warning you don't understand.

    If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?

    If the certificate isn't properly signed, a warning like the one you were presented with should throw a dialog box in the web browser.

    --
    #fuckbeta #iamslashdot #dicemustdie
  3. Re:Looks fine to me by canuck08 · · Score: 5, Informative

    Seconded. The certificate is correct.
    I don't know what that verisign link is all about but it is useless.
    You certainly cannot trust information within a web page to verify the identity of the server.

    Click on the the little 'lock' icon on the bottom right corner of your browser to inspect the certificate.

  4. Doesn't surprise me... by Jason+Levine · · Score: 5, Informative

    An ID Thief opened a Capital One account in my name. They had my name, address, SSN, and DOB, but got my mother's maiden name wrong. Capital One approved the card anyway. Then, when the thief immediately changed the address (from mine to another address), before even activating the card, it didn't raise any red flags in their systems. Then, when the thief tried to get a $5,000 cash advance on the card (still not activated), it didn't raise any red flags in their systems (though they denied the advance). Then, when I called them, they refused to give me any information on the theory that I could "go and shoot the guy and they would be liable." Instead, I had to have a police officer call a special "cops number." The police officer called that number and got a recording which apparently no one ever returned phone calls from. At every step of the way, Capital One seemed to be going out of its way to protect itself *from* me and my ID Theft investigation instead of caring about the fact that it was an accessory to ID theft. Needless to say, I won't ever do business with Capital One again.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    1. Re:Doesn't surprise me... by RobertB-DC · · Score: 4, Informative

      I was going to reply with my own tales of Capital One woe, the $500 credit line with the $50 overlimit fees, the annual fee they charged after I cancelled, the continuing flood of "offers" (with worse and worse fine print). But I can't, because I'm laughing too hard at the banner ad at the top of the page.

      Capital One® Credit Cards
      Competitive Rates. More Rewards. Apply Now for No Hassle Cards.
      www.CapitalOne.com

      I've run-not-walked from Capital One ever since my one and only experience with them, and if this situation (and their bannermania) is any indication, everyone else should too.

      --
      Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  5. Re:Subdomain certs by kyouteki · · Score: 4, Informative

    Due to security concerns (just like the OP is expressing,) you can't get a Wildcard EV certificate.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  6. Re:Looks fine to me by kalirion · · Score: 3, Informative

    Similar thing happens whenever I try to log into my virginmobile account. https://virginmobileusa.com/ has a certificate for www.virginmobileusa.com

  7. There's something very wrong here. by Animats · · Score: 4, Informative

    Something strange is going on here. Capital One's main site returns a certificate for the correct domain, but the certificate is invalid. This isn't a wrong-domain issue; the cert is bad. CN="www.capitalone.com", the dates are valid, the issuer is Verisign, but it won't validate in Firefox. Our own system, SiteTruth, which uses OpenSSL, also indicates it's no good. But neither Firefox nor OpenSSL is producing a useful error message. It looks like this certificate is either corrupted or bogus.

    The location ("L") in the cert is Glen Allen, VA. Capital One has a facility in Glen Allen, according to Google, and it looks like a huge warehouse. So that's probably their data center, at 4871 Cox Rd, Glen Allen, VA - (804) 270-4104.

    A traceroute ends at "capitalone-gw.customer.alter.net", which doesn't mean much one way or the other.

    Their stock has dropped from 55 to 12 since September 2008. If you have any money in there above the FDIC insurance limits, get it out now..