unknown certificate authority error with bank site - Security

This is a discussion on unknown certificate authority error with bank site - Security ; https://www.myctfs.com (a bank) gives me an "unknown certificate authority" error. How serious a problem is this? What should I tell the admin in order to get the site fixed with as little argument as possible? If you have access to ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: unknown certificate authority error with bank site

  1. unknown certificate authority error with bank site

    https://www.myctfs.com (a bank) gives me an "unknown
    certificate authority" error. How serious a problem
    is this? What should I tell the admin in order to get
    the site fixed with as little argument as possible?
    If you have access to a variety of OS+browsers, please
    comment on which report a problem.


  2. Re: unknown certificate authority error with bank site

    On 2007-07-09, tester wrote:
    > https://www.myctfs.com (a bank) gives me an "unknown
    > certificate authority" error. How serious a problem
    > is this? What should I tell the admin in order to get
    > the site fixed with as little argument as possible?
    > If you have access to a variety of OS+browsers, please
    > comment on which report a problem.
    >


    Hmm, they seem to be authenticated by VeriSign's Class 3 CA, which
    under normal circumstances should be "installed" by default in most
    web browsers / operating systems... my is that it's probably a
    configuration issue at your end. (Unless somebody is actively
    subjecting you to a man-in-the-middle attack; unlikely, but this is
    the sort of warning you'd expect to see in that case.)

    If it is a configuration issue with your system then I'd expect to
    see similar problems with a bunch of other sites, too. Check your
    web browser to ensure that VeriSign's CAs are installed (in Firefox,
    go to Edit -> Preferences -> Advanced -> Encryption -> View
    Certificates -> Authorities).

    Mark

    --
    Mark Shroyer
    http://markshroyer.com/

  3. Re: unknown certificate authority error with bank site

    > If it is a configuration issue with your system then I'd expect to
    > see similar problems with a bunch of other sites, too.


    I haven't encountered any similar problems, and I've tried myctfs
    while booted to separate systems with different browsers, using
    same ISP connection. Can you suggest some test cases?

    > Check your web browser to ensure that VeriSign's CAs are installed (in
    > Firefox, go to Edit -> Preferences -> Advanced -> Encryption -> View
    > Certificates -> Authorities).


    With Firefox 2.0.0.4 I see 15 items listed under VeriSign, including
    these 3 that match the "class 3" description:

    Class 3 Public Primary Certification Authority | Builtin Object Token
    Class 3 Public Primary Certification Authority - G2 | Builtin Object Token
    Class 3 Public Primary Certification Authority - G3 | Builtin Object Token

  4. Re: unknown certificate authority error with bank site

    I see this same error, with Firefox 2.0.0.4 and its set of certificates
    loaded. I've got a lot of VeriSign certificates, but not that one.
    Since anyone can assert the certificate is from VeriSign, I'd be very
    leery of this one. I wouldn't connect to this site until I had got a
    very believable explanation from someone who knew what was going on.

    --
    Steve


    Mark Shroyer wrote:
    > On 2007-07-09, tester wrote:
    >> https://www.myctfs.com (a bank) gives me an "unknown
    >> certificate authority" error. How serious a problem
    >> is this? What should I tell the admin in order to get
    >> the site fixed with as little argument as possible?
    >> If you have access to a variety of OS+browsers, please
    >> comment on which report a problem.
    >>

    >
    > Hmm, they seem to be authenticated by VeriSign's Class 3 CA, which
    > under normal circumstances should be "installed" by default in most
    > web browsers / operating systems... my is that it's probably a
    > configuration issue at your end. (Unless somebody is actively
    > subjecting you to a man-in-the-middle attack; unlikely, but this is
    > the sort of warning you'd expect to see in that case.)
    >
    > If it is a configuration issue with your system then I'd expect to
    > see similar problems with a bunch of other sites, too. Check your
    > web browser to ensure that VeriSign's CAs are installed (in Firefox,
    > go to Edit -> Preferences -> Advanced -> Encryption -> View
    > Certificates -> Authorities).
    >
    > Mark
    >


  5. Re: unknown certificate authority error with bank site

    On 2007-07-09, Steve Sentoff wrote:
    > I see this same error, with Firefox 2.0.0.4 and its set of certificates
    > loaded. I've got a lot of VeriSign certificates, but not that one.
    > Since anyone can assert the certificate is from VeriSign, I'd be very
    > leery of this one. I wouldn't connect to this site until I had got a
    > very believable explanation from someone who knew what was going on.


    I was probably unclear about this point, but what I meant to say is
    that the site's certificate actually checks out as valid with my
    Firefox 2.0.0.4 default CA set. That is, assuming that I can trust
    the CA keys distributed with my copy of Firefox, the site I'm
    personally able to connect to at http://myctfs.com/ (which we can't
    necessarily trust to be the same site you're reaching at that
    address from your side of the network) is authenticated by VeriSign.

    But you're right, of course: if the original poster cannot
    personally verify this site's certificate, he should absolutely stay
    away until the company has given him a clear explanation of what's
    going on. That two people have reported problems verifying this
    site's identity is pretty darn suspicious...

    --
    Mark Shroyer
    http://markshroyer.com/

  6. Re: unknown certificate authority error with bank site

    Mark Shroyer :
    > On 2007-07-09, Steve Sentoff wrote:
    > > I see this same error, with Firefox 2.0.0.4 and its set of certificates
    > > loaded. I've got a lot of VeriSign certificates, but not that one.
    > > Since anyone can assert the certificate is from VeriSign, I'd be very

    >
    > I was probably unclear about this point, but what I meant to say is
    > that the site's certificate actually checks out as valid with my
    > Firefox 2.0.0.4 default CA set. That is, assuming that I can trust
    > the CA keys distributed with my copy of Firefox, the site I'm
    > personally able to connect to at http://myctfs.com/ (which we can't
    > necessarily trust to be the same site you're reaching at that
    > address from your side of the network) is authenticated by VeriSign.
    >
    > But you're right, of course: if the original poster cannot
    > personally verify this site's certificate, he should absolutely stay
    > away until the company has given him a clear explanation of what's
    > going on. That two people have reported problems verifying this
    > site's identity is pretty darn suspicious...


    Three people. FF/Iceweasel 2.0.0.4


    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://www.spots.ab.ca/~keeling Linux Counter #80292
    - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.

  7. Re: unknown certificate authority error with bank site

    On 2007-07-09, s. keeling wrote:
    > Mark Shroyer :


    [...]

    >> But you're right, of course: if the original poster cannot
    >> personally verify this site's certificate, he should absolutely stay
    >> away until the company has given him a clear explanation of what's
    >> going on. That two people have reported problems verifying this
    >> site's identity is pretty darn suspicious...

    >
    > Three people. FF/Iceweasel 2.0.0.4


    I just tried again and am now being served the suspect certificate
    as well. I'd be less concerned if they clearly were accidentally
    serving some internal self-signed certificate; however, this cert's
    issuer DN that it is from VeriSign, even though it doesn't validate
    as such. So yeah, suspicious.

    --
    Mark Shroyer
    http://markshroyer.com/

  8. Re: unknown certificate authority error with bank site

    On Mon, 9 Jul 2007 10:11:09 +0000 (UTC), tester wrote:
    > https://www.myctfs.com (a bank) gives me an "unknown
    > certificate authority" error. How serious a problem
    > is this? What should I tell the admin in order to get
    > the site fixed with as little argument as possible?
    > If you have access to a variety of OS+browsers, please
    > comment on which report a problem.


    At this web page:

    http://www.verisign.com/support/advi...ge_040611.html

    Verisign explains the (new, as of April 2006) need for an
    "Intermediate CA Certificate", and explains how things will
    malfunction if said certificate is not installed on the
    server. I think this is the problem you report. I think
    www.myctfs.com is not providing the complete "trust chain"
    back to the Verisign Class 3 Public Primary Certification
    Authority that is (presumably) installed in your browser.

    So, most likely, www.myctfs.com has goofed up their certificate
    handling. But you can't be sure, can you?

    --
    To email me, substitute nowhere->spamcop, invalid->net.

  9. Re: unknown certificate authority error with bank site

    Peter Pearson wrote:
    > On Mon, 9 Jul 2007 10:11:09 +0000 (UTC), tester wrote:
    >> https://www.myctfs.com (a bank) gives me an "unknown
    >> certificate authority" error. How serious a problem
    >> is this? What should I tell the admin in order to get
    >> the site fixed with as little argument as possible?
    >> If you have access to a variety of OS+browsers, please
    >> comment on which report a problem.

    >
    > At this web page:
    >
    > http://www.verisign.com/support/advi...ge_040611.html
    >
    > Verisign explains the (new, as of April 2006) need for an
    > "Intermediate CA Certificate", and explains how things will
    > malfunction if said certificate is not installed on the
    > server. I think this is the problem you report. I think
    > www.myctfs.com is not providing the complete "trust chain"
    > back to the Verisign Class 3 Public Primary Certification
    > Authority that is (presumably) installed in your browser.
    >
    > So, most likely, www.myctfs.com has goofed up their certificate
    > handling. But you can't be sure, can you?
    >


    Yes, I've experienced it as well. Usually, it is a misconfigured Apache
    server. Verisign addressed this problem as Peter stated, but it seems
    that many administrators either didn't bother to configure properly, or
    didn't know how. A few months later, it happened to me on my very own
    site ... took me a few days to figure out how to fix it.

    On the other hand, I wouldn't take any chances ... the warning might be
    for another reason.

    Rich

  10. Re: unknown certificate authority error with bank site

    On Mon, 09 Jul 2007 12:29:47 +0000, tester wrote:

    >> If it is a configuration issue with your system then I'd expect to
    >> see similar problems with a bunch of other sites, too.

    >
    > I haven't encountered any similar problems, and I've tried myctfs
    > while booted to separate systems with different browsers, using
    > same ISP connection. Can you suggest some test cases?
    >
    >> Check your web browser to ensure that VeriSign's CAs are installed (in
    >> Firefox, go to Edit -> Preferences -> Advanced -> Encryption -> View
    >> Certificates -> Authorities).

    >
    > With Firefox 2.0.0.4 I see 15 items listed under VeriSign, including
    > these 3 that match the "class 3" description:
    >
    > Class 3 Public Primary Certification Authority | Builtin Object Token
    > Class 3 Public Primary Certification Authority - G2 | Builtin Object Token
    > Class 3 Public Primary Certification Authority - G3 | Builtin Object Token


    Don't know the answer to your specific question. However I think you
    might have already gotten it above. Would point out, am now using Firefox
    version 2.0.0.6, compared to your 2.0.0.4. Do a favor and go to Menu Bar
    >> Help >> Check for Updates. That option is currently unavailable to me

    (greyed out) for reasons unknown to me. There are of course other ways to
    update. I would put it on my own list to check if I were you, or even me.

  11. Re: unknown certificate authority error with bank site

    Mark Shroyer wrote:
    > On 2007-07-09, tester wrote:
    >> https://www.myctfs.com (a bank) gives me an "unknown
    >> certificate authority" error. How serious a problem
    >> is this? What should I tell the admin in order to get
    >> the site fixed with as little argument as possible?
    >> If you have access to a variety of OS+browsers, please
    >> comment on which report a problem.
    >>

    >
    > Hmm, they seem to be authenticated by VeriSign's Class 3 CA, ...
    >
    > If it is a configuration issue with your system then I'd expect to
    > see similar problems with a bunch of other sites, too. ...
    >
    > Mark
    >


    My school just renewed their VeriSign Class 3 web site certificate,
    and it has the same problem:

    https://hccadvisor.hccfl.edu/

    The only think that struck me as odd was that the CA certificate
    doesn't seem to include the "CN" attribute. Only this
    and a few other VeriSign CA certificates are missing this.
    I thought the CN attribute was required?

    -Wayne

  12. Re: unknown certificate authority error with bank site

    Wayne wrote:
    > Mark Shroyer wrote:
    >> On 2007-07-09, tester wrote:
    >>> https://www.myctfs.com (a bank) gives me an "unknown
    >>> certificate authority" error. How serious a problem
    >>> is this? What should I tell the admin in order to get
    >>> the site fixed with as little argument as possible?
    >>> If you have access to a variety of OS+browsers, please
    >>> comment on which report a problem.
    >>>

    >> Hmm, they seem to be authenticated by VeriSign's Class 3 CA, ...
    >>
    >> If it is a configuration issue with your system then I'd expect to
    >> see similar problems with a bunch of other sites, too. ...
    >>
    >> Mark
    >>

    >
    > My school just renewed their VeriSign Class 3 web site certificate,
    > and it has the same problem:
    >
    > https://hccadvisor.hccfl.edu/
    >
    > The only think that struck me as odd was that the CA certificate
    > doesn't seem to include the "CN" attribute. Only this
    > and a few other VeriSign CA certificates are missing this.
    > I thought the CN attribute was required?
    >
    > -Wayne


    I decided to live chat with Verisign on this. They checked,
    escalated, checked, and found the problem is the web site
    needs to install an intermediate certificate:
    Jeff S: It appears that the Intermediate CA certificate has not been installed on the web server.
    Jeff S: You will need to obtain the Secure Site Pro Certificate from this page here: http://www.verisign.com/support/veri...-ca/index.html

    -Wayne

+ Reply to Thread