Making Sense of Mismatched Certificates? 322
Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.
Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.
I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.
So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"
Not nothing. (Score:5, Informative)
This is a misconfiguration on their end. EV certificates, the ones that turn your address bar green and coax turtles into doing happy dances, are really expensive. It's my guess that they've either reused a certificate on another system, or one of their developers made a mistake in how the site and server cluster is configured. It's certainly something to complain about.
If you're ever in doubt about the validity of the certificate or security of a transaction, however, DON'T DO IT!. This goes for standing at an ATM in a shady neighborhood or doing business online.
Answers (Score:5, Informative)
Hello, IT, have you tried turning it off and back on again?
Ah... another tech support call. Sure, what's the problem?
Are the certificates a mismatch or is my browser bellyaching for nothing?
Yes. And maybe yes too.
Is the certificate mismatch a security hazard?
Common sense would suggest it wouldn't be in a big popup dialog labeled "WARNING" if it wasn't.
If someone poisoned my local DNS routers would it be obvious in the URL?
No.
How would I prevent such a thing?
Stop clicking "Okay" or "Yes" to every security warning you don't understand.
If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?
If the certificate isn't properly signed, a warning like the one you were presented with should throw a dialog box in the web browser.
Re:Not nothing. (Score:1, Informative)
I find that I often type domain.com in instead of www.domain.com. SSL certs are often registered to https://www.domain.com and I'm at https://domain.com which gives a mis-match. Going to https://www.domain.com fixes it.
Re:Looks fine to me (Score:5, Informative)
Seconded. The certificate is correct.
I don't know what that verisign link is all about but it is useless.
You certainly cannot trust information within a web page to verify the identity of the server.
Click on the the little 'lock' icon on the bottom right corner of your browser to inspect the certificate.
Re:Not nothing. (Score:5, Informative)
Well, it's good to worry any time there is a mismatch. It can be easy to fake legitimate looking URL's using UNICODE characters and such.
Consider something that looks like like:
https://onlinebanking.capitalone.com/login/.tsdk.cn?login
The whole first part could be the host name: "onlinebanking.capitalone.com/login/" and the domain is actually "tsdk.cn". This would be using the UNICODE symbol for mathematical division that looks like a forward slash. It looks like a capitalone.com domain even though you're going through some scammer site. Marlinspike talked about this exact attack at Blackhat 09.
Doesn't surprise me... (Score:5, Informative)
An ID Thief opened a Capital One account in my name. They had my name, address, SSN, and DOB, but got my mother's maiden name wrong. Capital One approved the card anyway. Then, when the thief immediately changed the address (from mine to another address), before even activating the card, it didn't raise any red flags in their systems. Then, when the thief tried to get a $5,000 cash advance on the card (still not activated), it didn't raise any red flags in their systems (though they denied the advance). Then, when I called them, they refused to give me any information on the theory that I could "go and shoot the guy and they would be liable." Instead, I had to have a police officer call a special "cops number." The police officer called that number and got a recording which apparently no one ever returned phone calls from. At every step of the way, Capital One seemed to be going out of its way to protect itself *from* me and my ID Theft investigation instead of caring about the fact that it was an accessory to ID theft. Needless to say, I won't ever do business with Capital One again.
Re:A few things about SSL (Score:3, Informative)
SSL cert is set up to one hostname
The parent is for all intensive purposes is correct. Class 3 SSL certificates are assigned to a common name (foo.com). Unless the certificate contains a wild-card, it ill not work for bar.foo.com. It will however work for foo.com/bar.
It sounds like the bank in question has a Class 3 for CN=bank.com and their webapp is located at online.bank.com. The browser caught the mismatch and throws a warning.
Please alert the webmaster of the institution with a full description of the error.It's easy to resolve on their end (they have to gen a new csr and order a new certificate).
BBH
Right conclusion, wrong procedure (Score:3, Informative)
OK, your bank screwed the pooch and you should complain - LOUDLY - until it's fixed. You should also look for a bank that understands basic internet/web concepts like "SSL cert's CN must match DNS hostname" -- I fear for the rest of their infrastructure.
That said, you were logging into your bank, which presumably holds a large percentage of your cash assets, you received a SSL error and you continued the transaction?
You deserve to have your account cleaned out for reckless disregard for the security of your financial information. Go to a brick-and-mortar bank, or call them on the telephone (*gasp*) if your banking is so urgent.
Re:A few things about SSL (Score:1, Informative)
The parent is for all intensive purposes is correct.
The phrase is intents and purposes. What the hell would an "intensive purpose" be?
Re:Subdomain certs (Score:5, Informative)
Re:It worked for me (Score:3, Informative)
Re:Doesn't surprise me... (Score:5, Informative)
I was going to reply with my own tales of Capital One woe, the $500 credit line with the $50 overlimit fees, the annual fee they charged after I cancelled, the continuing flood of "offers" (with worse and worse fine print). But I can't, because I'm laughing too hard at the banner ad at the top of the page.
I've run-not-walked from Capital One ever since my one and only experience with them, and if this situation (and their bannermania) is any indication, everyone else should too.
Re:Looks fine to me (Score:4, Informative)
Similar thing happens whenever I try to log into my virginmobile account. https://virginmobileusa.com/ [virginmobileusa.com] has a certificate for www.virginmobileusa.com
Re:Not nothing. (Score:5, Informative)
No CA is (currently) issuing wildcard EV certs. I personally understand the convenience of the wildcard cert, but I do also accept and support the practice of disallowing wildcards in high security applications.
EV certificates are available with multiple Subject Alternative Names, though so the whole "dropped www." or a couple of virtual shouldn't be a big deal if things are done correctly. Unfortunately they aren't and some sites (paypal) that are using EV SSL certs don't even bother with this simple feature.
The correct failsafe implementation which will always result in a no-prompt situation is to ensure that you only deploy EV certificates on an IP addresses that have only one DNS name. You then deploy a frontend redirection server on a second IP using a wildcard SSL cert that occupies the alternative dns names for the namespace of the original app. This server will pass cert checks more easily and then redirect to the EV server with its specific dns name which will then show the green bar. Any existing deep links to the application on an incorrect DNS name will be handled correctly and any direct references will work in the future. There are of course implications for securing said redirection proxy, but they aren't really that hard to overcome.
There's something very wrong here. (Score:5, Informative)
Something strange is going on here. Capital One's main site [capitalone.com] returns a certificate for the correct domain, but the certificate is invalid. This isn't a wrong-domain issue; the cert is bad. CN="www.capitalone.com", the dates are valid, the issuer is Verisign, but it won't validate in Firefox. Our own system, SiteTruth, which uses OpenSSL, also indicates it's no good. But neither Firefox nor OpenSSL is producing a useful error message. It looks like this certificate is either corrupted or bogus.
The location ("L") in the cert is Glen Allen, VA. Capital One has a facility in Glen Allen, according to Google, and it looks like a huge warehouse. So that's probably their data center, at 4871 Cox Rd, Glen Allen, VA - (804) 270-4104.
A traceroute ends at "capitalone-gw.customer.alter.net", which doesn't mean much one way or the other.
Their stock has dropped from 55 to 12 since September 2008. If you have any money in there above the FDIC insurance limits, get it out now..
capitalonevacuum (Score:1, Informative)
capitalone sucks.
i have been paying down a credit card- from 13,000 to 8,000 last year. now they want to raise my rate to 30%. what hav i done? paid on time, NOT CHARGED ANYTHING IN TWO YEARS, and they call and threaten thaat if i dont accept the 30% rate i wont be able ot charge on tht card. ARE THEY EVEN LOOKING AT MY RECORDS?
stupid, stupid company. i will pay them off completely soon (next month) and NEVER do any business with them again.
IE 8 does! (Score:3, Informative)
It looks to me as though IE 8 does just this. The matched part of the url is in a bolder face than the rest of the address. Cool!
Re:Looks fine to me (Score:3, Informative)
Re:Subdomain certs (Score:3, Informative)
Re:Here's an idea (Score:3, Informative)
Great for phishing sites, totally useless for man-in-the-middle attacks.
Electronic Banking is Regulated: COMPLAIN (Score:3, Informative)
Electronic banking is heavily regulated. If you feel your concerns are being taken seriously by the bank you need to head on over to the federal reserves website and file a complaint. The Federal Reserve will forward the complaint to the correct regulating facility and banks will respond or be fined.
http://www.federalreserveconsumerhelp.gov/ [federalres...erhelp.gov]
Re:Not nothing. (Score:3, Informative)
Insuring them may present no tangible benefits to you, but letting them fail is certainly going to present tangible harm. Example: When Lehman Brothers failed unexpectedly, many money market funds were adversely affected. These funds then sold their other assets into the corporate bond market, flooding it and essentially shutting it down. Because the market was shut down, many large corporations were faced with the probability of not being able to make payroll, as they were unable to get cash from their primary source of short term loans. Such an event would have undoubtably affected thousands (perhaps millions) if the Federal Reserve had not stepped in and purchased mass quantities of commercial bonds to restore order.
I agree that it would be best if the present situation had not arisen, and if regulators had put in more stringent controls ahead of time. However, as the grandparent poster points out, letting the current system of banks and financial institutions fail rapidly and messily would cause more harm than good. We need to insure these banks on a temporary basis while we wind down their obligations and ensure that other parties will not be unduly harmed by their failures. Then we let them fail, when their failure can cause no harm to the rest of us.
Re:Here's an idea (Score:3, Informative)
Re:Eh ? (Score:2, Informative)
Re:Here's an idea (Score:2, Informative)
If you suspect you're visiting a phishing site, try first entering the WRONG password. Since the fishing site shouldn't know your true password, it will just accept the incorrect one and store it away for the purpuse of dastardly use later on. If the site rejects the incorrect password, then accepts the true one, you know you're OK. Right?
Though the above may work in a phishing website, it's absolutely worthless in a true MITM scheme. Recall that the MITM is forwarding *your* input to the *true* website, and will give you the same results as if you had entered them yourself.