Slashdot Mirror
Making Sense of Mismatched Certificates?
Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.
Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.
I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.
So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"
Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.
I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.
So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"
This is a misconfiguration on their end. EV certificates, the ones that turn your address bar green and coax turtles into doing happy dances, are really expensive. It's my guess that they've either reused a certificate on another system, or one of their developers made a mistake in how the site and server cluster is configured. It's certainly something to complain about.
If you're ever in doubt about the validity of the certificate or security of a transaction, however, DON'T DO IT!. This goes for standing at an ATM in a shady neighborhood or doing business online.
The cert is for servicing.capitalone.com and not for onlinebanking.capitalone.com. The only thing that seems wrong is the verisign link.
The above comments are not guaranteed to make sense to anyone other than the author...
It's all a scam and we're all laughing at you. While spending your money. Thanks for the good times.
) Human Kind Vs Human Creation
) It'd be interesting to see how many humans would survive to serve us.
I am still curious how much I have exposed my banking assets
Seeing you logged in correctly, everything.
Hello, IT, have you tried turning it off and back on again?
Ah... another tech support call. Sure, what's the problem?
Are the certificates a mismatch or is my browser bellyaching for nothing?
Yes. And maybe yes too.
Is the certificate mismatch a security hazard?
Common sense would suggest it wouldn't be in a big popup dialog labeled "WARNING" if it wasn't.
If someone poisoned my local DNS routers would it be obvious in the URL?
No.
How would I prevent such a thing?
Stop clicking "Okay" or "Yes" to every security warning you don't understand.
If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?
If the certificate isn't properly signed, a warning like the one you were presented with should throw a dialog box in the web browser.
#fuckbeta #iamslashdot #dicemustdie
My browser has no problem with their cert. And Im using a particularly picky browser (firefox 3.07).
A non-story?
Seriously, there's a bank on every corner. Unless you have some compelling reason to stay with Capital One, open an account elsewhere. You don't even have to close your Capital One account -- save it as a backup.
That's what I did when Bank of Texas (aka Bank of Oklahoma) added so-called "security questions". The first time I failed at answering "What was your first pet's favorite food?" (or something similarly stupid), I changed my direct deposit to put $1 a paycheck there, and move the rest to an account at a financial institution with a better understanding of Internet security.
Speaking of financial institutions, why are you still banking at a for-profit (ha!) institution, anyway? I've got one credit union that doesn't charge an overlimit fee on my credit card, and another that's paying over 4% interest on my checking account. Why can they do that? Because they didn't take stupid risks 10 years ago. I should know -- they wouldn't give me a home loan. The bank that did was first in line for a taxpayer bailout.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
A mismatch at the third level of the domain name is probably a configuration screw-up on Capital One's part. It shouldn't be possible for a third party to get a certificate for a capitalone.com subdomain.
If, however, somebody did get a certificate for onlinebanking.capitalone.com, then Capital One's only defense is to change the subdomain they use and hope that people who've been hit by a DNS poisoning or other man-in-the-middle attack pay attention to the certificate mismatch.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
The first thing to note is that SSL covers the host-to-host connection and is ignorant of higher-level protocols. There are a couple of things which can cause SSL mismatches:
1) SSL cert is set up to one hostname that the machine services, but site is on another. The SSL negotiation happens prior to the host headers being processed. This could be solved by browser controls (i.e. do a rDNS lookup on the cert's host and make sure it matches the IP you are connecting to), but this ends up causing other, more serious issues, because different sites on the same server could be controlled by different parties. Hence if you have a shopping cart, I could re-use your cert on my shared site on the same box, spoof your page, and steel credit card numbers. So the browser behavior is correct.
2) The SSL cert could have been accidently re-used (unlikely).
My general rule is that if the hostname's TLD matches with the cert (capitalone.com), but the most host-specific portion does not (servicing vs online banking), this is reasonably (though not completely) safe to ignore. Revoked certs should ALWAYS be treated with suspicion because you don't know why it was revoked. Expired certs.... Well, it depends. There are other things that can cause certs to be improperly shown as expired so that demands more careful consideration.
LedgerSMB: Open source Accounting/ERP
This reminds me of an story. A friend and I were moving a heavy couch and at an inopportune time he got flustered and said 'Hold on, we need to put this down and take a break'. We did, finished moving it later and that was that.
About 6 months later out of the blue he explained to me that he had to put the couch down because the apparently strained a bit too hard and pooped his pants.
I have no idea why he told me, much less told me 6 months later. He was kind of a weird guy.
The moral of this story is:
If you do something embarassing or stupid and privately get away with it, don't tell anyone.
has a mismatched certificate. something like www.ourdomain.com not matching subdomain.ourdomain.com
i don't know enough about SSL and certs to tell you that subdomain, as opposed to domain, mismatches are exploitable. but i know in my particular instance, its just laziness on my company's part, and it smells like someone just dropped the ball on a configuration at capitalone
i know in my company's case i complain about it, but nothing ever gets done about it (until we get exploited i bet)
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
What is "Cap It Alone"?
Doesn't sound like a website I'd entrust my financial information to...
but I have worked on several computers where the users PC date/time somehow was changed to the year 2006 (and yet another that the year was changed to 2013). Because the date of the computer was out of the range of the dates on the certificate etc. it would come up with an error and prevent logon capabilities. Very rare instance that this would happen as the certificate was valid but due to dates being wrong it wouldn't display the page nor allow the user to log into the banking website. But there is the possibility that Capital One in all their infinite knowledge and awesomesauce screwed something up. Just my 2 cents.
unimatrixzer0
A corporation will get the certificate issued for their shiny professional 'main' URL, like www.ReallyGreatBank.com, and then their online account management system ends up being a redirect to wherever the hell they felt like putting it. For example, while I don't know if they have certificate issues, Citibank's many 'main' sites for themselves and their acquisitions, take you to www.accountonline.com/yada-yada.
I guess if we all complained until we were blue in the face, businesses -might- make more of an effort to keep the certificates in line with the actual sites. However, the answer received in this case: 'Sorry I can't escalate that' shows that the corporations know we'll suck it up and deal.
Personally I consider a DNS poisoning sufficiently unlikely compared to simpler scams (like redirecting to a similarly named domain) that I don't sweat it too much.
RETURN without GOSUB in line 1050
Now you know why I no longer bank with Capital One. They not only are really not concerned at all with their security, but they really could care less about you; their customer. I had nothing but issues with them and just closed everything up and moved on.
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
An ID Thief opened a Capital One account in my name. They had my name, address, SSN, and DOB, but got my mother's maiden name wrong. Capital One approved the card anyway. Then, when the thief immediately changed the address (from mine to another address), before even activating the card, it didn't raise any red flags in their systems. Then, when the thief tried to get a $5,000 cash advance on the card (still not activated), it didn't raise any red flags in their systems (though they denied the advance). Then, when I called them, they refused to give me any information on the theory that I could "go and shoot the guy and they would be liable." Instead, I had to have a police officer call a special "cops number." The police officer called that number and got a recording which apparently no one ever returned phone calls from. At every step of the way, Capital One seemed to be going out of its way to protect itself *from* me and my ID Theft investigation instead of caring about the fact that it was an accessory to ID theft. Needless to say, I won't ever do business with Capital One again.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
You're end up in some call center and the agent will have no clue what you're talking about -- they will recommend clearing cookies, restarting the browser (and maybe switch to IE). The message will never get up the food chain. The only real way to get the message is to close your account and switch to a bank that takes sucurity seriously.
Web browsers should not allow access to sites with messed up security. If all browsers errored out, sites like this would be unusable and would get fixed. Putting up a warning that the user learns to ignore is just crying wolf. People learn to ignore such things - so why implement them at all?
It worked for me. The server certificate I got was valid (issued 2008-10-02, expires 2009-10-15, for "servicing.capitalone.com"). There could be many problems causing this.
http://skapare.ipal.org/servicing.capitalone.com.cert.general.png
One is that the actual server (of many servers they are running through load balancing port redirectors) you connected to doesn't have the right certificate (e.g. they didn't install the new one on all servers ... maybe new servers coming online and the update of renewed certificate crossed paths).
Another is that you really are subjected to a man-in-the-middle attack that passed everything through, actually updating your real account. In the mean time your username, password, and financial information, are all recorded (if you have a big enough balance now, you might not have it next week).
now we need to go OSS in diesel cars
I don't really understand why any individual with regular "banking" needs would use a bank today. Credit unions are non-profit, and generally, because of their structure, are run much better than banks are. My credit union has been impacted 0% by this banking mess stuff. I'm earning 4% on my PERSONAL CHECKING account, and not paying any fees. I also have all of my business accounts, and my mortgage with my local credit union.
Credit Unions: Like banks, but cheaper, non-profit, less corrupt, no over-paid executives, and not out to screw you over.
certificates should be purchasable for whole domains
They are. You don't have to buy a new cert for every subdomain. If you have a lot of subdomains to secure the best solution is to get a wildcard certificate.
well, there's your problem right there
was it the retro arcade game commercial that suckered you in?
admittedly, they nailed the music on that one perfectly
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
DO NOT continue banking online, and call them to let them know of the problem. Continue banking over the phone or in person (I know..it's a pain in the ass compared to doing it online, but it's nothing compared to having to deal with identity theft).
OK, your bank screwed the pooch and you should complain - LOUDLY - until it's fixed. You should also look for a bank that understands basic internet/web concepts like "SSL cert's CN must match DNS hostname" -- I fear for the rest of their infrastructure.
That said, you were logging into your bank, which presumably holds a large percentage of your cash assets, you received a SSL error and you continued the transaction?
You deserve to have your account cleaned out for reckless disregard for the security of your financial information. Go to a brick-and-mortar bank, or call them on the telephone (*gasp*) if your banking is so urgent.
/~mikeg
Comment removed based on user account deletion
Didn't we have a story recently where it was possible to sign new certs in an existing domain without authorisation ? That would make the "don't worry too much, it's a sub-domain" answers a bit weak.
Certainly, if this was a multi-billion dollar organisation, it would be worth setting up all sorts of hacks, but this can only be used against people with standard credit card limits. How would you exploit a flaw such as this? You'd presumably need some sort of automation because you'd be stealing small amounts from thousands of people but my knowledge of certificates and the nature of the security they provide is sparse.
The real problem here, I think, is the customer service. A company is too big for its britches when it is no longer possible to get ahold of someone there to take action on a technical issue. I realize that they have to ignore people without hotlines to their technical department or else spend enormous time filtering out feedback from morons.. but when they do this, they lose the asset of feedback from experts like us.
I wish there was a way to get certified as a Smart Guy so that you got a secret login to a hotline website where subscriber companies could get in contact with you in order to receive your feedback about their systems.
that real massive online and electronic banking will fail.
There are more and more way to compromise systems technically and socially due to the nature of computers.
The Kruger Dunning explains most post on
Apparently there is a tech at Capital One that reads slashdot.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Something strange is going on here. Capital One's main site returns a certificate for the correct domain, but the certificate is invalid. This isn't a wrong-domain issue; the cert is bad. CN="www.capitalone.com", the dates are valid, the issuer is Verisign, but it won't validate in Firefox. Our own system, SiteTruth, which uses OpenSSL, also indicates it's no good. But neither Firefox nor OpenSSL is producing a useful error message. It looks like this certificate is either corrupted or bogus.
The location ("L") in the cert is Glen Allen, VA. Capital One has a facility in Glen Allen, according to Google, and it looks like a huge warehouse. So that's probably their data center, at 4871 Cox Rd, Glen Allen, VA - (804) 270-4104.
A traceroute ends at "capitalone-gw.customer.alter.net", which doesn't mean much one way or the other.
Their stock has dropped from 55 to 12 since September 2008. If you have any money in there above the FDIC insurance limits, get it out now..
capitalone sucks.
i have been paying down a credit card- from 13,000 to 8,000 last year. now they want to raise my rate to 30%. what hav i done? paid on time, NOT CHARGED ANYTHING IN TWO YEARS, and they call and threaten thaat if i dont accept the 30% rate i wont be able ot charge on tht card. ARE THEY EVEN LOOKING AT MY RECORDS?
stupid, stupid company. i will pay them off completely soon (next month) and NEVER do any business with them again.
Everyone needs to take a breath, and take a look at the CapOne web site. The certificate contains the correct URL for that page. The problem is NOT the SSL cert; it's the stupid Verisign seal thingy.
That Verisign seal thingy is coded to show the wrong sub-domain. Apparently CapitalOne created a seal for one sub-domain and inappropriately used it on a page in a different domain. They could do that because nothing the seal prevents it's use in the wrong domain. It won't even alert the user to an erroneous use.
That's the problem with the Verisign assurance seal. It assures absolutely nothing.
For yucks, create a Versign seal -- but pay attention to their rules!
Around here the credit unions all charge fees for ATM usage, fees for cheques, fees for electronic transfers, etc. Because of this, I went with a primarily-online bank that has more reasonable policies.
It looks to me as though IE 8 does just this. The matched part of the url is in a bolder face than the rest of the address. Cool!
What's "capping it", and why would I want to do it alone?
Just a side note....when my iGoogle widget for Slashdot posts lead-ins for the Slashdot posts, it also inserts ads under the posts. The ad for this post was from CapitalOne!
Interesting. Most of the credit unions I've checked out here in the Bay Area are members of a consortioum of CUs and none of them charge to use out of network ATMs or each other's ATMs (hence the consortium) and many of them rebate ATM fees charged by the owner of the ATM. My partner and I are about to make the switch to a CU for all the same reasons on the table.
As much as it pains us all, these banks really are too big to fail.
Unfortunately, nothing is too big to fail. And the bigger they are the harder they fall.
So when they're falling, what's the right approach? Try to prop them up with stacks of additional money (which also gets lost when they fall over anyhow?) Or refuse to throw the additional money into the pit and just get it over with?
I claim the latter is the right approach. Makes the disaster smaller, more limited to the institutions whose people made the wrong decisions (rather than robbing the people who made better decisions to pay for it), and serves as an object lesson for future decision-makers.
That needs to be fixed. We simply cannot have corporations that are so essential that we taxpayers must "insure" them.
With you there.
But that's tomorrow's fight. Today we just need to survive.
NOT with you THERE.
The more we prop up the failing giants, the more of us go down with them.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
And this is one of the reasons the current implementation of Unicode needs a lot of fixing.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
What if browsers completely refused to connect to web sites where there is a domain name mismatch in the certificate? Sure, it would make things pretty hard for a while, but at least there wouldn't be the quick and dirty (and dangerous) fix of support people telling customer's to "just ignore it". Businesses would, shock horror, have to actually fix the underlying problem! I can't help but think if browsers had always been this strict, the world would be a safer place and this really wouldn't be an issue. Even if you use self signed certificates, there's no excuse for certificate domain miss-match.
There's a FireFox plugin called "Perspectives" which is designed to deal with this sort of thing. http://www.cs.cmu.edu/~perspectives/ Basically what Perspectives does is fill in when FF decides that a cert doesn't match. Perspectives then contacts a bunch of other hosts to check the certificate. If the cert is the same as everyone else sees, and hasn't changed in a "long time", then the assumption is that the cert is valid, even if it's self-signed, or doesn't match. Read the perspectives site for more details. (I am not affiliated with this plugin, but I do use it and like it.)
"Those who would sacrifice essential liberty for temporary safety deserve neither liberty nor safety."
They're the idiots that decided that encryption keys out to be called "certificates" and are the same things as valid undeniably perfect identification.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Tell me now, why do we need to protect the counterparties in the derivatives contracts? Shouldn't they have been aware of the risk involved? Just look at it this way: Company A offers credit default swaps against securities to protect lenders in case of default. Company B says, "Hey, that sounds great! Small premium for such a policy!" But Company B should considering, "Hey, they only way we'll need this insurance is if there is a catastrophic collapse. But if that happens, Companies C, D, E, ..., Z are all going to be asking to be reimbursed along with us! And why should we think Company A has anywhere near enough capital to insure all of those companies in case of default?" Company B should be asking Company A, "Hey, do you even able to insure this?" And the answer would be a resounding "No" (or a bald-faced lie that would be easy to uncover).
The simple fact is, these companies didn't even think about what would happen if AIG couldn't cover all the swaps. Because nobody could cover all those swaps. Let AIG fail. As far as the banks who are counterparties, let them go into receivership, wipe out the shareholders, and sell off their assets to pay off as many debt holders as possible. That's what the FDIC is for; maybe we should use it for something other than a moral hazard provider.
Perhaps because Credit Unions (at least in my area) SUCK. They have almost no branches, their hours are abysmal, and there is no reason for them to have nice customer service policies. I used to be with one local credit union - they told me there was a fee just to get a VISA Debit card! At least with my bank, I have access all over the western half of the US to a real employee, not just a "credit union servicing center" where the connection to the credit union is down half the time. And no fees - I get direct deposit like most people and I don't pay any fee - I get free VISA Debit cards, checking registers, online access, even bill pay (although I refuse to use it). I have found that the credit unions I've interacted with, either myself directly or in one case through a close family member, have had lower quality of service than my local bank.
. Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
Self-signing is the only sensible way to use certificates.
CAs should only be used in the same way that USians use notary publics. The certificate should be treated like a notary's seal. (And priced the same.)
But the CAs can't even behave like notaries until they get proper time stamping implemented.
The standard itself was never debugged, and every purveyor of snake oil fudges whatever part of the standard that gets in the way of their patent formula.
Sorry to be negative, but it gets kind of fatiguing, watching the other guy making all the money doing everything wrong. Yeah, that's part of believing in freedom, but it would help if the other believed in it enough to at least try to do it right.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
There is no proper secure (in other words, without aliased glyphs) subset of Unicode.
Well, there was a time that the domain name portion of urls was supposed to be limited to latin lower case plus numeric and dash, but that simply didn't sell, and the Chinese want to be able to filter (erk), I mean, they want to be able to use their ideographs in urls with pride.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
is great, as long as the ip doesn't change.
But you really shouldn't have to depend on even the ip.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
If you suspect you're visiting a phishing site, try first entering the WRONG password. Since the fishing site shouldn't know your true password, it will just accept the incorrect one and store it away for the purpuse of dastardly use later on. If the site rejects the incorrect password, then accepts the true one, you know you're OK. Right?
I am not left-handed, either!
Electronic banking is heavily regulated. If you feel your concerns are being taken seriously by the bank you need to head on over to the federal reserves website and file a complaint. The Federal Reserve will forward the complaint to the correct regulating facility and banks will respond or be fined.
http://www.federalreserveconsumerhelp.gov/
... from Verisign. If you're using one for each of your 900 subdomains, I guess it adds up. If you're a bank and do a lot of on-line transactions, you'd think pretty much one subdomain could handle it (or maybe one for commercial clients, one for retail, etc.). And yes, the cluster needs to be configured correctly.
Guys,it's Windows, when in doubt,Reboot!
If still in doubt,See rule #1,Reboot!
Rule #2,"Let your fingers do the walking",Dial the number!
Rule #3,If Rule #2 fails,get in the car,Start,Drive to the Bank!!!
Whenever I run into a cert mismatch, I check the site IP (fairly straightforward in FF). Then I do a search on the IP against whois databases (ARIN, RIPE). If I see, that the IP is registered to the organization that is supposed to be serving me (and not just an IP reseller), I grant a temp exception and send an email to the staff of the service provider (the whois databases usually have that info) and tell them they've screwed up.
For online banking, I have one-time passwords, issued by the bank (it's a two-phase process). But I've never run into a cert mismatch on a banking service yet.
Every problem has a solution that is simple, easy and wrong. Selling our Liberty for a little Security is a much too de
That's the most insightful comment that I've read to date on this whole mess.
I agree, however, I don't like to hear "we can not let the banks fail".
Why should they be infallible? Why should we always save their asses, when they give themselves big bonuses. I say let them fail...we have other means of saving our money, my mattress has plenty of room, I can send money by credit union, and can pay my bills by money orders.
We feel too comfortable with our system and don't want to lose it, but in the end this is what is killing us, our involuntary nature to let the sh*t happen and let the chips fall, and WoW are people going to be pissed if they see their banks fail, I would go and remove all moneys from the banks.
If they go bankrupt, does that mean you still have to pay your loan back?
So make sure to send the message loud and clear to the banks, we wont stand for it any longer....
You fail, that's it, game over. Same with the car industry....let's keep bailing them out, like the retards we are, because we NEED them to give us jobs....that's like saying I will pay to work for you...now THAT sounds crazy!
Well the simplest fix would be to change "too big to fail" arrangement into a "too big to exist" arrangement. We've had a hard lesson on how absolutely absolute power will corrupt. Why let it happen again?
I'm not tense. I'm just terribly, terribly, alert.