Making Sense of Mismatched Certificates?

Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.

Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.

I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.

So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"

Doh!

[Anonymous Coward]

I am still curious how much I have exposed my banking assets

Seeing you logged in correctly, everything.

Re:Not nothing.

[badasscat]

Well, but both certificates were for capitalone.com subdomains. In this case, I wouldn't worry too much about it. I'd complain, but it's more of an annoyance than a security risk.

I'd worry a lot more if one certificate was for capitalone.com and the other for capone.com or capitolone.com or capital1.com or something like that. Then you've got a problem.

It's not like they're the only bank, you know

[RobertB-DC]

Seriously, there's a bank on every corner. Unless you have some compelling reason to stay with Capital One, open an account elsewhere. You don't even have to close your Capital One account -- save it as a backup.

That's what I did when Bank of Texas (aka Bank of Oklahoma) added so-called "security questions". The first time I failed at answering "What was your first pet's favorite food?" (or something similarly stupid), I changed my direct deposit to put $1 a paycheck there, and move the rest to an account at a financial institution with a better understanding of Internet security.

Speaking of financial institutions, why are you still banking at a for-profit (ha!) institution, anyway? I've got one credit union that doesn't charge an overlimit fee on my credit card, and another that's paying over 4% interest on my checking account. Why can they do that? Because they didn't take stupid risks 10 years ago. I should know -- they wouldn't give me a home loan. The bank that did was first in line for a taxpayer bailout [cbsnews.com].

Re:Not nothing.

[Anonymous Coward]

I don't know why anyone has their money in large banks anymore. Move it to a local credit union and let those large bank fuckers die out. "Too big to fail" my ass. They haven't been paying FDIC for the last 10 years since "it wasn't necessary".

Re:Not nothing.

[Chyeld]

Bitch, don't excuse. The whole point of this exercise was to allow the customer use the site without putting their info in danger and in a manner that doesn't require having a degree in "teh internets" to get through.

It should never be the customer's responsibilty to bring a maginfying glass to the certificate and manually verify that these were just subdomain mismatches and not some clever capitalone.com vs capitlone.com spelling that means to look correct to someone just scanning the screen. That is a security risk, whether or not it is currently exposing your info, it's training you to expect that sort of problem and to ignore it the same way people ignore the dialog boxes XP and VISTA pop up on errors.

Re:Not nothing.

[argiedot]

If you're ever in doubt about the validity of the certificate or security of a transaction, however, DON'T DO IT!

Can't agree more. See this example of a MITM attack. [mozilla.org]

Re:Not nothing.

[SatanicPuppy]

Yep yep. Buying a new cert for every subdomain is wildly expensive, so these sorts of errors happen reasonably often.

In a lot of cases the subdomain may be separated from the main domain only for possible load balancing issues, so it's doubly not worth getting a specific cert for a subdomain which may never take off.

In the end it's a problem because the consumer gets used to accepting bad certs as a matter of course, and that leads to people accepting "capitolone.com" instead of "capitalone.com". Basically the registrars need to be pimp slapped a bit: certificate registration shouldn't cost anywhere near what it does, certificates should be purchasable for whole domains, etc.

Re:Not nothing.

[Lord Ender]

Exactly. When you proceed despite an SSL error, you most likely are falling victim to a screw-up on the bank's end, but you are possible falling victim to a MITM attack. There is no way for you to know conclusively.

That's really the end of the discussion.

Re:Not nothing.

[Anonymous Coward]

security is a state of mind.

And ignorance is bliss

Complaining is kind of pointless.

[klubar]

You're end up in some call center and the agent will have no clue what you're talking about -- they will recommend clearing cookies, restarting the browser (and maybe switch to IE). The message will never get up the food chain. The only real way to get the message is to close your account and switch to a bank that takes sucurity seriously.

Re:Not nothing.

[Firehed]

That also takes about six seconds of the company's time to fix by adding two lines to an .htaccess file. A problem that simple should never require the customer to wonder if their financial data is in harm's way.

Re:Answers

[owlstead]

"If the certificate isn't properly signed, a warning like the one you were presented with should throw a dialog box in the web browser."

*Nothing* from a web site should throw a dialog in a web browser. Dialogs are annoying things that block your entire application. They make it all to easy to create denial of service attacks (just keep throwing dialog boxes). They are also easy to click away by mistake (just hitting enter in an entirely different application seems to do it).

I love the way FF3 shows you that something is wrong with the certificate. The page is very clear and the user only gets a dialog box after clicking on a button himself. The same with remembering passwords, the bar on the top is much better than a dialog.

It would be great if FF3 became entirely dialog free. I don't think it is already the case, but they are definitely working on it. The one for extensions is still there, but at least you cannot just click it away since it waits 3 seconds for the Install button to become available.

IMHO, dialog boxes (especially "modal" ones, the ones you /have/ to click away) are a useful tool, but they are used in way too many occasions.

Subdomain certs

[ravenspear]

certificates should be purchasable for whole domains

They are. You don't have to buy a new cert for every subdomain. If you have a lot of subdomains to secure the best solution is to get a wildcard certificate.

Re:Not nothing.

[postbigbang]

You find it amusing. I find it reason to sack your sorry ass.

Security is a chain of referential components designed (and hacked at constantly) in the attempt to ensure safety. Civilians don't know a bad certificate from a live hand grenade, and both can blow up in their face. Security is a state of mind-- if you have one. Lotsa people don't and rely on cogent web developers for their safety.

The obvious solution...

[pak9rabid]

DO NOT continue banking online, and call them to let them know of the problem. Continue banking over the phone or in person (I know..it's a pain in the ass compared to doing it online, but it's nothing compared to having to deal with identity theft).

Re:Right conclusion, wrong procedure

[geekoid]

"You deserve to have your account cleaned out for reckless disregard for the security of your financial information. "

no no NO. No one deserves that, stop pandering the insurance companies line.

If you car is not locked, you don't deserve to have it robber, if you leave a window to your house, you do not deserve to be robbed. if you windows are easily breakable, you do not deserve to be robbed. If you were a short skirt, you do not deserve to be raped.
You deserve to live in a world where you don't have to lock everything.

Re:Not nothing.

[encoderer]

There's a quadrillion dollars in Derivatives. (That's not a hyperbole).

Many large banks hold over a trillion dollars in Credit Default Swaps.

All CDS contracts have a universal default provision.

As much as it pains us all, these banks really are too big to fail. That needs to be fixed. We simply cannot have corporations that are so essential that we taxpayers must "insure" them. But that's tomorrow's fight. Today we just need to survive.

Re:Not nothing.

[mrcaseyj]

This is why I train new users to look for the domain name at the bottom right of the status bar next to the lock in Firefox, because it's too hard to explain to a beginner how to parse an https URL and the browser takes care of all the tricks in extracting the domain name that you're connecting to.

Well, it's good to worry any time there is a mismatch. It can be easy to fake legitimate looking URL's using UNICODE characters and such.

Consider something that looks like like:
https://onlinebanking.capitalone.com/login/.tsdk.cn?login [capitalone.com]

The whole first part could be the host name: "onlinebanking.capitalone.com/login/" and the domain is actually "tsdk.cn". This would be using the UNICODE symbol for mathematical division that looks like a forward slash. It looks like a capitalone.com domain even though you're going through some scammer site. Marlinspike talked about this exact attack at Blackhat 09.

Re:Eh ?

[Beardo the Bearded]

Capital One IT staff: "Oh shit, we're on /."

2nd C1 IT staff: "Oh fuck. I'll bet it's the certificate."

*phone rings*

"Oh shit, it's the CTO's number."

CTO: "Why the fuck are we on slashdot's front page?"

And presto, Capital One's certificates have been fixed.

Re:Not nothing.

[Eric in SF]

Everyone is saying this and it really does make sense. Except. I don't trust the American system to fix this once the "sky is falling" danger is passed. I really don't.

Re:Not nothing.

[Anonymous Coward]

As much as it pains us all, these banks really are too big to fail

These banks really are too big for the system of capital to let them fail, which would underline the innate faults of that system. That we should insure them with no tangible benefit to us is a farce - Let them fail.

Re:Not nothing.

[FiniteElementalist]

Well, one alternative is to take an axe to these derivative contracts, and make it so they are redeemable for their original purchase price (or with a bit of a premium for time cost and whatnot). I thought about this possibility a while back, but it seems to be picking up some steam in more mainstream financial circles (I read an article about it recently in Barron's), and supposedly similar contract alteration was done in response to the Dutch Tulip bubble in the 1600s.

It might not be a better choice than propping up the banks and waiting it out, but eventually they are going to need to put an end to these things. The deregulated shadow market for them was and is complete madness. It's not all that much dumber than making Ponzi schemes, naked short selling, or insurance fraud legal.

In any case, if there is a situation where anything approaching the quadrillion or a slightly lesser number of trillions of dollars of the derivatives need to be exercised they will be completely worthless. Worthless either because the system will completely collapse and no one will honor them, or worthless because they will be devalued by hyperinflation. There's not enough money currently in existence to cover those positions, so those are pretty much the options.

Re:Subdomain certs

[sgbett]

Its obscurity 2.0 - Security through poverty.

Here's an idea

[bensafrickingenius]

If you suspect you're visiting a phishing site, try first entering the WRONG password. Since the fishing site shouldn't know your true password, it will just accept the incorrect one and store it away for the purpuse of dastardly use later on. If the site rejects the incorrect password, then accepts the true one, you know you're OK. Right?

Re:Not nothing.

[DamnStupidElf]

As much as it pains us all, these banks really are too big to fail.

There's a quadrillion *pretend* dollars in derivatives; that's the entire point. No one owns the money they think they do on paper. It doesn't exist anywhere in any tangible good. It was an IOU written to investors that could never be paid. The economy is actually poorer than most people think. The money you invested is *gone*. It was spent by rich people and people who got overvalued loans on their home and spent the difference, or who sold their shares in stocks before the crash. That's the reality that people need to understand.

The way to fix it, basically, is massive socialism to carry people through the hard times of losing most of their retirement, their houses, and their jobs. We can move back to a more capitalist system in the future if it ever looks like a good idea.

Re:Not nothing.

[bugi]

The way to fix it, basically, is massive socialism to carry people through the hard times of losing most of their retirement, their houses, and their jobs. We can move back to a more capitalist system in the future if it ever looks like a good idea.

Or simply prosecute for fraud.

They were providing securities with money they didn't have -- how else but fraud can one interpret that that they never intended to pay out regardless of circumstance?

Re:Not nothing.

[TheNarrator]

The funny thing is is that people think the guys getting screwed are the homeowners who got to live in a home they never would have been able to afford in normal times.

The people who got screwed are all the foreigners that bought these assets thinking their money was safe AAA rated stuff. Now they are being told that they bought a bunch of worthless garbage.

The real problem now is that they have caused an incalculable amount of damage to the reputation of our financial system as being a safe place to invest money. The government has to bail all these people out to show that they will stand behind all these too big to fail crooks and make good on their lies in order to maintain confidence.

Re:Derivatives contracts

[ShatteredArm]

Your comparison between your fire hazard insurance and credit default swaps is weak, at best. For several reasons:

a) You are a private individual who doesn't have time to do a detailed analysis on your insurance company's balance sheet. A very large bank, on the other hand, should know how to look at AIG's balance sheet and determine how liquid they are. They have people who know and understand finance.
b) The type of disasters that could cause people to make claims on their fire hazard insurance cannot possibly affect the percentage of the policy holders as the type of disasters that could befall the CDS counterparties. With CDS, it's almost all or nothing, as far as people making claims, since house prices more or less move together.
c) AIG doesn't care if they have enough capital to cover these defaults. They know they're betting the bank that prices would keep going up; nobody should assume they have enough capital. Again, they need only look at AIG's balance sheet to make that determination.

The key here is that these banks should've known that there was no way AIG could cover all these CDS. They should've known that if housing prices decline, there would be lots of defaults. CDS became widespread out of stupidity and greed on the part of AIG and their counterparties.

Re:Not nothing.

[aynoknman]

"Too big to fail" my ass.

There is still hope. They are rapidly becoming small enough to fail.

Re:Not nothing.

[NateTech]

Actually forebearance and big penalties later -- is another option. That or Nationalization for a temporary period to get investigators in, clean them up, and hand them back to different leadership and shareholders.

Maybe if the current shareholders take a hit, they'll learn to do proper oversight of the Board of Directors "next time"...

There's LOTS more options than "failure". The issue right now is in the government being CONSISTENT about how they're going about it. One bank allowed to fail, another propped up with TARP, another propped up with "stimulus"...

No wonder the market doesn't trust it. No one knows how they're picking the winners and losers, or if it's being done for political gain or they're just really bad at it.

Bernanke may have figured it out finally. Geitner is completely clueless. We'll see...

Re:Not nothing.

[supernova_hq]

Oooh, so close! the parent said "domain.com" not "https://domain.com. Thus you would be entering an http site (by default). Your .htaccess would then redirect to "https://www.domain.com".

If he typed in "http://domain.com", then yes, you would be correct.

Re:Here's an idea

[Anonymous Coward]

Bad advice. The phishing site could just test login to the bank with the username and password you give it to see whether it works. So if a bad password fails that doesn't mean you're ok.

Re:Here's an idea

[Anonymous Coward]

Wrong wrong wrong.

There is nothing to stop the phishing server from holding a connection open to your actual bank and validating the login information you give it.

If you suspect you're visiting a phishing site, LEAVE.