Making Sense of Mismatched Certificates?

Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.

Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.

I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.

So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"

Re:Not nothing.

[badasscat]

Well, but both certificates were for capitalone.com subdomains. In this case, I wouldn't worry too much about it. I'd complain, but it's more of an annoyance than a security risk.

I'd worry a lot more if one certificate was for capitalone.com and the other for capone.com or capitolone.com or capital1.com or something like that. Then you've got a problem.

Re:Not nothing.

[SatanicPuppy]

Yep yep. Buying a new cert for every subdomain is wildly expensive, so these sorts of errors happen reasonably often.

In a lot of cases the subdomain may be separated from the main domain only for possible load balancing issues, so it's doubly not worth getting a specific cert for a subdomain which may never take off.

In the end it's a problem because the consumer gets used to accepting bad certs as a matter of course, and that leads to people accepting "capitolone.com" instead of "capitalone.com". Basically the registrars need to be pimp slapped a bit: certificate registration shouldn't cost anywhere near what it does, certificates should be purchasable for whole domains, etc.

Re:Not nothing.

[Lord+Ender]

Exactly. When you proceed despite an SSL error, you most likely are falling victim to a screw-up on the bank's end, but you are possible falling victim to a MITM attack. There is no way for you to know conclusively.

That's really the end of the discussion.

Re:Not nothing.

[postbigbang]

You find it amusing. I find it reason to sack your sorry ass.

Security is a chain of referential components designed (and hacked at constantly) in the attempt to ensure safety. Civilians don't know a bad certificate from a live hand grenade, and both can blow up in their face. Security is a state of mind-- if you have one. Lotsa people don't and rely on cogent web developers for their safety.