Making Sense of Mismatched Certificates? 322
Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.
Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.
I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.
So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"
No (Score:5, Funny)
It's all a scam and we're all laughing at you. While spending your money. Thanks for the good times.
Re:Not nothing. (Score:5, Funny)
Dude, post your login details and I'll check it out for you.
Pure genius! Say the quiet part loud! (Score:5, Funny)
This reminds me of an story. A friend and I were moving a heavy couch and at an inopportune time he got flustered and said 'Hold on, we need to put this down and take a break'. We did, finished moving it later and that was that.
About 6 months later out of the blue he explained to me that he had to put the couch down because the apparently strained a bit too hard and pooped his pants.
I have no idea why he told me, much less told me 6 months later. He was kind of a weird guy.
The moral of this story is:
If you do something embarassing or stupid and privately get away with it, don't tell anyone.
significant spaces (Score:4, Funny)
What is "Cap It Alone"?
Doesn't sound like a website I'd entrust my financial information to...
Re:Not nothing. (Score:0, Funny)
Here they are:
IP: 127.0.0.1
User: Trollfag
Pass: ILikeBigDicksAndILikeEmHard
Re:Not nothing. (Score:3, Funny)
No no no, at godaddy they're only 29.95!!!! Only the highest quality stuff for the bank!
Re:Not nothing. (Score:3, Funny)
Re:Not nothing. (Score:5, Funny)
My login details are username:tkw954 password:*********
Hey that's weird. Slashdot must automatically replace your pw with stars.
Re:Not nothing. (Score:5, Funny)
You can hunter2 my hunter2ing hunter2. You can't see hunter2!
Re:Not nothing. (Score:1, Funny)
Consider something that looks like like:
https://onlinebanking.capitalone.com/login/.tsdk.cn?login [capitalone.com]
The whole first part could be the host name: "onlinebanking.capitalone.com/login/" and the domain is actually "tsdk.cn". This would be using the UNICODE symbol for mathematical division that looks like a forward slash
Which is why everyone should only use english with 7-bit ascii on the internets. Security is much better for everyone!
capitalone.com (Score:3, Funny)
Re:Not nothing. (Score:4, Funny)
That's odd, it shows a different number of stars than your password really is. Guess that's to avoid giving even its length away. Clever!