National Bank SSL Cert Fail

Got to wonder about your bank when they manage to upload the wrong SSL certificate to one of their webservers. :-/

hurp durp security

Every sysadmin has their bad day, but I would have thought a bank would have had a bit more of a test suite and monitoring of their certificates. :-/

This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

8 Responses to National Bank SSL Cert Fail

  1. Sam P says:

    There are a surprising number of banks that suffer from this error because they need to buy a cert for each of their subdomains, – or a pricey wildcard certificate.

    Being a highly profitable bank though you think they could just afford a wildcard cert… herp derp indeed.

    • Jethro Carr says:

      According to Wikipedia it’s not possible to get a wildcard Extended Validation Certificate which sounds about right – EV certs appeal to banks as they have a higher level of company validation, although not of security, hence the green company name appearing in browsers like Firefox.

      http://en.wikipedia.org/wiki/Extended_Validation_Certificate

      I suspect they might have separate certs to avoid a compromise of the website SSL cert & key, which would lead to an ability to man-in-the-middle National Bank online banking traffic.

  2. Jethro Carr says:

    From National Bank, about ~11hr response time to their 24×7 fraud & security hotline:

    Last night, part of our infrastructure experienced a hardware failure
    resulting in several bank site being unavailable for a period of time.
    We sincerely apologise for any inconvenience this unplanned outage
    caused.

    Technicians restored service approx 10:25pm last night.

    If you continue to experience any issues we would advise to clear your
    browser cache or test with an alternative browser.

    • Jethro Carr says:

      Hardware failure sounds a bit dubious, but will give them benefit of the doubt – if a key load balancer failed, it’s possible other infrastructure just decided to forward hits to the main website and that would be reported as a H/W fault.

      Of course with the main website not having the domain in it’s certificate, it’s a bad way to address failures – better to have a user directed to a separate “sorry, unexpected fault occurring” webpage on the secure.nbnz.co.nz domain if there’s a technical issue.

  3. Kyhwana says:

    I’ve seen Kiwibank fail to renew their cert on time. -.-

    • Jethro Carr says:

      Oh that’s pretty awesome. :-) we do nagios checks of our certs these days to notify of expiry in advance, since engineers tend not to ignore it
      ;-)

  4. Yiddish says:

    Obviously the connection is untrusted.

    • Jethro Carr says:

      Well yes, and also no.

      Yes; in that all internet connections should be considered untrusted, as in you don’t know what organizations or individuals may have access to the traffic going between you and your destination.

      No; in that that certificate is a valid trusted cert – the certificate validates as a legitimate Verisign-signed National Bank owned certificate

      This means that excluding stolen certificates or hacked National Bank servers, the connection is at least validated as being connected to the bank.

Leave a Reply