Slashdot Mirror
Making Sense of Mismatched Certificates?
Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.
Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.
I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.
So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"
Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.
I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.
So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"
Well, but both certificates were for capitalone.com subdomains. In this case, I wouldn't worry too much about it. I'd complain, but it's more of an annoyance than a security risk.
I'd worry a lot more if one certificate was for capitalone.com and the other for capone.com or capitolone.com or capital1.com or something like that. Then you've got a problem.
Seriously, there's a bank on every corner. Unless you have some compelling reason to stay with Capital One, open an account elsewhere. You don't even have to close your Capital One account -- save it as a backup.
That's what I did when Bank of Texas (aka Bank of Oklahoma) added so-called "security questions". The first time I failed at answering "What was your first pet's favorite food?" (or something similarly stupid), I changed my direct deposit to put $1 a paycheck there, and move the rest to an account at a financial institution with a better understanding of Internet security.
Speaking of financial institutions, why are you still banking at a for-profit (ha!) institution, anyway? I've got one credit union that doesn't charge an overlimit fee on my credit card, and another that's paying over 4% interest on my checking account. Why can they do that? Because they didn't take stupid risks 10 years ago. I should know -- they wouldn't give me a home loan. The bank that did was first in line for a taxpayer bailout.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
I don't know why anyone has their money in large banks anymore. Move it to a local credit union and let those large bank fuckers die out. "Too big to fail" my ass. They haven't been paying FDIC for the last 10 years since "it wasn't necessary".
Bitch, don't excuse. The whole point of this exercise was to allow the customer use the site without putting their info in danger and in a manner that doesn't require having a degree in "teh internets" to get through.
It should never be the customer's responsibilty to bring a maginfying glass to the certificate and manually verify that these were just subdomain mismatches and not some clever capitalone.com vs capitlone.com spelling that means to look correct to someone just scanning the screen. That is a security risk, whether or not it is currently exposing your info, it's training you to expect that sort of problem and to ignore it the same way people ignore the dialog boxes XP and VISTA pop up on errors.
Can't agree more. See this example of a MITM attack.
Yep yep. Buying a new cert for every subdomain is wildly expensive, so these sorts of errors happen reasonably often.
In a lot of cases the subdomain may be separated from the main domain only for possible load balancing issues, so it's doubly not worth getting a specific cert for a subdomain which may never take off.
In the end it's a problem because the consumer gets used to accepting bad certs as a matter of course, and that leads to people accepting "capitolone.com" instead of "capitalone.com". Basically the registrars need to be pimp slapped a bit: certificate registration shouldn't cost anywhere near what it does, certificates should be purchasable for whole domains, etc.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Exactly. When you proceed despite an SSL error, you most likely are falling victim to a screw-up on the bank's end, but you are possible falling victim to a MITM attack. There is no way for you to know conclusively.
That's really the end of the discussion.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
You're end up in some call center and the agent will have no clue what you're talking about -- they will recommend clearing cookies, restarting the browser (and maybe switch to IE). The message will never get up the food chain. The only real way to get the message is to close your account and switch to a bank that takes sucurity seriously.
You find it amusing. I find it reason to sack your sorry ass.
Security is a chain of referential components designed (and hacked at constantly) in the attempt to ensure safety. Civilians don't know a bad certificate from a live hand grenade, and both can blow up in their face. Security is a state of mind-- if you have one. Lotsa people don't and rely on cogent web developers for their safety.
---- Teach Peace. It's Cheaper Than War.
"You deserve to have your account cleaned out for reckless disregard for the security of your financial information. "
no no NO. No one deserves that, stop pandering the insurance companies line.
If you car is not locked, you don't deserve to have it robber, if you leave a window to your house, you do not deserve to be robbed. if you windows are easily breakable, you do not deserve to be robbed. If you were a short skirt, you do not deserve to be raped.
You deserve to live in a world where you don't have to lock everything.
The Kruger Dunning explains most post on
There's a quadrillion dollars in Derivatives. (That's not a hyperbole).
Many large banks hold over a trillion dollars in Credit Default Swaps.
All CDS contracts have a universal default provision.
As much as it pains us all, these banks really are too big to fail. That needs to be fixed. We simply cannot have corporations that are so essential that we taxpayers must "insure" them. But that's tomorrow's fight. Today we just need to survive.
Capital One IT staff: "Oh shit, we're on /."
2nd C1 IT staff: "Oh fuck. I'll bet it's the certificate."
*phone rings*
"Oh shit, it's the CTO's number."
CTO: "Why the fuck are we on slashdot's front page?"
And presto, Capital One's certificates have been fixed.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Everyone is saying this and it really does make sense. Except. I don't trust the American system to fix this once the "sky is falling" danger is passed. I really don't.
If you suspect you're visiting a phishing site, try first entering the WRONG password. Since the fishing site shouldn't know your true password, it will just accept the incorrect one and store it away for the purpuse of dastardly use later on. If the site rejects the incorrect password, then accepts the true one, you know you're OK. Right?
I am not left-handed, either!
The funny thing is is that people think the guys getting screwed are the homeowners who got to live in a home they never would have been able to afford in normal times.
The people who got screwed are all the foreigners that bought these assets thinking their money was safe AAA rated stuff. Now they are being told that they bought a bunch of worthless garbage.
The real problem now is that they have caused an incalculable amount of damage to the reputation of our financial system as being a safe place to invest money. The government has to bail all these people out to show that they will stand behind all these too big to fail crooks and make good on their lies in order to maintain confidence.
"Too big to fail" my ass.
There is still hope. They are rapidly becoming small enough to fail.
We need a "+1 -- nice sig" moderation.