Making Sense of Mismatched Certificates?

Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.

Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.

I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.

So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"

Not nothing.

[mnslinky]

This is a misconfiguration on their end. EV certificates, the ones that turn your address bar green and coax turtles into doing happy dances, are really expensive. It's my guess that they've either reused a certificate on another system, or one of their developers made a mistake in how the site and server cluster is configured. It's certainly something to complain about.

If you're ever in doubt about the validity of the certificate or security of a transaction, however, DON'T DO IT!. This goes for standing at an ATM in a shady neighborhood or doing business online.

Re:Not nothing.

Dude, post your login details and I'll check it out for you.

Re:Not nothing.

[badasscat]

Well, but both certificates were for capitalone.com subdomains. In this case, I wouldn't worry too much about it. I'd complain, but it's more of an annoyance than a security risk.

I'd worry a lot more if one certificate was for capitalone.com and the other for capone.com or capitolone.com or capital1.com or something like that. Then you've got a problem.

Re:Not nothing.

[Chyeld]

Bitch, don't excuse. The whole point of this exercise was to allow the customer use the site without putting their info in danger and in a manner that doesn't require having a degree in "teh internets" to get through.

It should never be the customer's responsibilty to bring a maginfying glass to the certificate and manually verify that these were just subdomain mismatches and not some clever capitalone.com vs capitlone.com spelling that means to look correct to someone just scanning the screen. That is a security risk, whether or not it is currently exposing your info, it's training you to expect that sort of problem and to ignore it the same way people ignore the dialog boxes XP and VISTA pop up on errors.

Re:Not nothing.

[argiedot]

If you're ever in doubt about the validity of the certificate or security of a transaction, however, DON'T DO IT!

Can't agree more. See this example of a MITM attack.

Re:Not nothing.

[SatanicPuppy]

Yep yep. Buying a new cert for every subdomain is wildly expensive, so these sorts of errors happen reasonably often.

In a lot of cases the subdomain may be separated from the main domain only for possible load balancing issues, so it's doubly not worth getting a specific cert for a subdomain which may never take off.

In the end it's a problem because the consumer gets used to accepting bad certs as a matter of course, and that leads to people accepting "capitolone.com" instead of "capitalone.com". Basically the registrars need to be pimp slapped a bit: certificate registration shouldn't cost anywhere near what it does, certificates should be purchasable for whole domains, etc.

Re:Not nothing.

[Lord+Ender]

Exactly. When you proceed despite an SSL error, you most likely are falling victim to a screw-up on the bank's end, but you are possible falling victim to a MITM attack. There is no way for you to know conclusively.

That's really the end of the discussion.

Re:Not nothing.

Well, it's good to worry any time there is a mismatch. It can be easy to fake legitimate looking URL's using UNICODE characters and such.

Consider something that looks like like:
https://onlinebanking.capitalone.com/login/.tsdk.cn?login

The whole first part could be the host name: "onlinebanking.capitalone.com/login/" and the domain is actually "tsdk.cn". This would be using the UNICODE symbol for mathematical division that looks like a forward slash. It looks like a capitalone.com domain even though you're going through some scammer site. Marlinspike talked about this exact attack at Blackhat 09.

Re:Not nothing.

[postbigbang]

You find it amusing. I find it reason to sack your sorry ass.

Security is a chain of referential components designed (and hacked at constantly) in the attempt to ensure safety. Civilians don't know a bad certificate from a live hand grenade, and both can blow up in their face. Security is a state of mind-- if you have one. Lotsa people don't and rely on cogent web developers for their safety.

Re:Not nothing.

Also, lets not forget that a while back some children hacked into Comcast's DNS registrar with nothing more than an unsophisticated Social Engineering ploy.

If the capitalone domain registration ever became compromised, 'hijackeddomain.capitalone.com' would have the same 'root' domain as capitalone.com, but could be pointed at a hackers server in timbuktu.

Just because the domain is 'capitalone.com' does not necessarily mean that everything set up with a vanity off of it is hosted, owned, or operated by capitalone (or more importantly; that they're not owned and operated by someone who possesses malicious intent, be it a disgruntled capitalone employee or otherwise).

Last, the aforementioned domain registration social engineering end-around could theoretically be pulled to obtain a legitimate SSL Certificate. Maybe not specifically by targeting Verisign (at least, not as easily as other companies, I'd venture a guess), but any number of the other more generic and less valuable companies like GeoTrust are all plausible to target with this sort of ploy.

Re:Not nothing.

[tkw954]

Dude, post your login details and I'll check it out for you.

My login details are username:tkw954 password:*********

Hey that's weird. Slashdot must automatically replace your pw with stars.

Re:Not nothing.

[Daimanta]

You can hunter2 my hunter2ing hunter2. You can't see hunter2!

Re:Not nothing.

[encoderer]

There's a quadrillion dollars in Derivatives. (That's not a hyperbole).

Many large banks hold over a trillion dollars in Credit Default Swaps.

All CDS contracts have a universal default provision.

As much as it pains us all, these banks really are too big to fail. That needs to be fixed. We simply cannot have corporations that are so essential that we taxpayers must "insure" them. But that's tomorrow's fight. Today we just need to survive.

Re:Not nothing.

[GoRK]

No CA is (currently) issuing wildcard EV certs. I personally understand the convenience of the wildcard cert, but I do also accept and support the practice of disallowing wildcards in high security applications.

EV certificates are available with multiple Subject Alternative Names, though so the whole "dropped www." or a couple of virtual shouldn't be a big deal if things are done correctly. Unfortunately they aren't and some sites (paypal) that are using EV SSL certs don't even bother with this simple feature.

The correct failsafe implementation which will always result in a no-prompt situation is to ensure that you only deploy EV certificates on an IP addresses that have only one DNS name. You then deploy a frontend redirection server on a second IP using a wildcard SSL cert that occupies the alternative dns names for the namespace of the original app. This server will pass cert checks more easily and then redirect to the EV server with its specific dns name which will then show the green bar. Any existing deep links to the application on an incorrect DNS name will be handled correctly and any direct references will work in the future. There are of course implications for securing said redirection proxy, but they aren't really that hard to overcome.

Re:Not nothing.

[Eric+in+SF]

Everyone is saying this and it really does make sense. Except. I don't trust the American system to fix this once the "sky is falling" danger is passed. I really don't.

Re:Not nothing.

[TheNarrator]

The funny thing is is that people think the guys getting screwed are the homeowners who got to live in a home they never would have been able to afford in normal times.

The people who got screwed are all the foreigners that bought these assets thinking their money was safe AAA rated stuff. Now they are being told that they bought a bunch of worthless garbage.

The real problem now is that they have caused an incalculable amount of damage to the reputation of our financial system as being a safe place to invest money. The government has to bail all these people out to show that they will stand behind all these too big to fail crooks and make good on their lies in order to maintain confidence.

No

[Romancer]

It's all a scam and we're all laughing at you. While spending your money. Thanks for the good times.

Answers

[girlintraining]

Hello, IT, have you tried turning it off and back on again?
Ah... another tech support call. Sure, what's the problem?

Are the certificates a mismatch or is my browser bellyaching for nothing?

Yes. And maybe yes too.

Is the certificate mismatch a security hazard?

Common sense would suggest it wouldn't be in a big popup dialog labeled "WARNING" if it wasn't.

If someone poisoned my local DNS routers would it be obvious in the URL?

No.

How would I prevent such a thing?

Stop clicking "Okay" or "Yes" to every security warning you don't understand.

If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?

If the certificate isn't properly signed, a warning like the one you were presented with should throw a dialog box in the web browser.

It's not like they're the only bank, you know

[RobertB-DC]

Seriously, there's a bank on every corner. Unless you have some compelling reason to stay with Capital One, open an account elsewhere. You don't even have to close your Capital One account -- save it as a backup.

That's what I did when Bank of Texas (aka Bank of Oklahoma) added so-called "security questions". The first time I failed at answering "What was your first pet's favorite food?" (or something similarly stupid), I changed my direct deposit to put $1 a paycheck there, and move the rest to an account at a financial institution with a better understanding of Internet security.

Speaking of financial institutions, why are you still banking at a for-profit (ha!) institution, anyway? I've got one credit union that doesn't charge an overlimit fee on my credit card, and another that's paying over 4% interest on my checking account. Why can they do that? Because they didn't take stupid risks 10 years ago. I should know -- they wouldn't give me a home loan. The bank that did was first in line for a taxpayer bailout.

Re:Looks fine to me

[canuck08]

Seconded. The certificate is correct.
I don't know what that verisign link is all about but it is useless.
You certainly cannot trust information within a web page to verify the identity of the server.

Click on the the little 'lock' icon on the bottom right corner of your browser to inspect the certificate.

A few things about SSL

[einhverfr]

The first thing to note is that SSL covers the host-to-host connection and is ignorant of higher-level protocols. There are a couple of things which can cause SSL mismatches:

1) SSL cert is set up to one hostname that the machine services, but site is on another. The SSL negotiation happens prior to the host headers being processed. This could be solved by browser controls (i.e. do a rDNS lookup on the cert's host and make sure it matches the IP you are connecting to), but this ends up causing other, more serious issues, because different sites on the same server could be controlled by different parties. Hence if you have a shopping cart, I could re-use your cert on my shared site on the same box, spoof your page, and steel credit card numbers. So the browser behavior is correct.

2) The SSL cert could have been accidently re-used (unlikely).

My general rule is that if the hostname's TLD matches with the cert (capitalone.com), but the most host-specific portion does not (servicing vs online banking), this is reasonably (though not completely) safe to ignore. Revoked certs should ALWAYS be treated with suspicion because you don't know why it was revoked. Expired certs.... Well, it depends. There are other things that can cause certs to be improperly shown as expired so that demands more careful consideration.

Re:Looks fine to me

[JWSmythe]

    Exactly. They were stupid. They gave a server an alias, and didn't realize that it will throw an error to the clients. It probably worked fine in their dev environment though, where they probably accepted the wrong cert and saved the exception because they got tired of clicking the link. :)

    Being that he ignored the error, didn't view the cert to see what it was really assigned for (and continued on to give his login information), it proves that most users don't really care, and will provide their security credentials regardless if they've been warned that there is a problem or not. The cert could have been for bad_haxor_inc.ru, but since he didn't look, he doesn't know.

    We have to assume that it's a mixup with the servicing.capitalone.com and onlinebanking.capitalone.com hosts, but we don't know.

    Why didn't they just buy a wildcard cert? They're so much easier to work with. :)

Pure genius! Say the quiet part loud!

[synthesizerpatel]

This reminds me of an story. A friend and I were moving a heavy couch and at an inopportune time he got flustered and said 'Hold on, we need to put this down and take a break'. We did, finished moving it later and that was that.

About 6 months later out of the blue he explained to me that he had to put the couch down because the apparently strained a bit too hard and pooped his pants.

I have no idea why he told me, much less told me 6 months later. He was kind of a weird guy.

The moral of this story is:

If you do something embarassing or stupid and privately get away with it, don't tell anyone.

Doesn't surprise me...

[Jason+Levine]

An ID Thief opened a Capital One account in my name. They had my name, address, SSN, and DOB, but got my mother's maiden name wrong. Capital One approved the card anyway. Then, when the thief immediately changed the address (from mine to another address), before even activating the card, it didn't raise any red flags in their systems. Then, when the thief tried to get a $5,000 cash advance on the card (still not activated), it didn't raise any red flags in their systems (though they denied the advance). Then, when I called them, they refused to give me any information on the theory that I could "go and shoot the guy and they would be liable." Instead, I had to have a police officer call a special "cops number." The police officer called that number and got a recording which apparently no one ever returned phone calls from. At every step of the way, Capital One seemed to be going out of its way to protect itself *from* me and my ID Theft investigation instead of caring about the fact that it was an accessory to ID theft. Needless to say, I won't ever do business with Capital One again.

Re:Doesn't surprise me...

[RobertB-DC]

I was going to reply with my own tales of Capital One woe, the $500 credit line with the $50 overlimit fees, the annual fee they charged after I cancelled, the continuing flood of "offers" (with worse and worse fine print). But I can't, because I'm laughing too hard at the banner ad at the top of the page.

Capital One® Credit Cards
Competitive Rates. More Rewards. Apply Now for No Hassle Cards.
www.CapitalOne.com

I've run-not-walked from Capital One ever since my one and only experience with them, and if this situation (and their bannermania) is any indication, everyone else should too.

Banks? Seriously?

[NineNine]

I don't really understand why any individual with regular "banking" needs would use a bank today. Credit unions are non-profit, and generally, because of their structure, are run much better than banks are. My credit union has been impacted 0% by this banking mess stuff. I'm earning 4% on my PERSONAL CHECKING account, and not paying any fees. I also have all of my business accounts, and my mortgage with my local credit union.

Credit Unions: Like banks, but cheaper, non-profit, less corrupt, no over-paid executives, and not out to screw you over.

Re:Subdomain certs

[kyouteki]

Due to security concerns (just like the OP is expressing,) you can't get a Wildcard EV certificate.

Re:Complaining is kind of pointless.

[irotsoma]

WARNING: RANT...

I hate to say it, but I agree that you'll never get anything fixed by a call center. I've worked in call centers and the people who work there generally have no way to speak to anyone who can fix a problem, even in a "tech support" call center. Also, since they either get paid per call, or at least get docked pay if they aren't actively answering incoming calls, then they have no incentive to fix anything. In fact, they have a big disincentive against fixing anything since it will take away from their pay check and they likely hate the company too much to do it on their own time.

Also, I've been on the other side doing development and it's a similar problem there. It's very easy to make a simple typo or other mistake and never know the difference. No one in the call center ever tells you that the customer is having a problem, so you don't know that something needs to be fixed. So even though it might be a 1 minute fix for you, you'll never know that it needs to be done. There was a bug in this one software that had been there for 3 years, and the workarounds were even in the documentation to train new call center employees. Once a developer finally got it, it took seconds to fix. The customers suffered for 3 years for a few seconds of someone's time. Now I realize you can't fix every bug, all the time, but if the right people don't know about it, then it will never get fixed.

The real problem, IMHO, is that large companies treat their support/customer service departments like they are a drain on the company rather than a way to increase your reputation, thus outsourcing, low pay, strict rules, etc.

Because of this I prefer to do business with smaller companies or, even better, in person. If you're a "real person" standing in line at a bank, the teller is more likely to fix a problem than if you're just a number on a screen and a squeaky voice on a phone. But in-person is so inconvenient in this world of constant multitasking.

Re:Right conclusion, wrong procedure

[geekoid]

"You deserve to have your account cleaned out for reckless disregard for the security of your financial information. "

no no NO. No one deserves that, stop pandering the insurance companies line.

If you car is not locked, you don't deserve to have it robber, if you leave a window to your house, you do not deserve to be robbed. if you windows are easily breakable, you do not deserve to be robbed. If you were a short skirt, you do not deserve to be raped.
You deserve to live in a world where you don't have to lock everything.

There's something very wrong here.

[Animats]

Something strange is going on here. Capital One's main site returns a certificate for the correct domain, but the certificate is invalid. This isn't a wrong-domain issue; the cert is bad. CN="www.capitalone.com", the dates are valid, the issuer is Verisign, but it won't validate in Firefox. Our own system, SiteTruth, which uses OpenSSL, also indicates it's no good. But neither Firefox nor OpenSSL is producing a useful error message. It looks like this certificate is either corrupted or bogus.

The location ("L") in the cert is Glen Allen, VA. Capital One has a facility in Glen Allen, according to Google, and it looks like a huge warehouse. So that's probably their data center, at 4871 Cox Rd, Glen Allen, VA - (804) 270-4104.

A traceroute ends at "capitalone-gw.customer.alter.net", which doesn't mean much one way or the other.

Their stock has dropped from 55 to 12 since September 2008. If you have any money in there above the FDIC insurance limits, get it out now..

Re:Eh ?

[Beardo+the+Bearded]

Capital One IT staff: "Oh shit, we're on /."

2nd C1 IT staff: "Oh fuck. I'll bet it's the certificate."

*phone rings*

"Oh shit, it's the CTO's number."

CTO: "Why the fuck are we on slashdot's front page?"

And presto, Capital One's certificates have been fixed.