Got to wonder about your bank when they manage to upload the wrong SSL certificate to one of their webservers. :-/
Every sysadmin has their bad day, but I would have thought a bank would have had a bit more of a test suite and monitoring of their certificates. :-/
There are a surprising number of banks that suffer from this error because they need to buy a cert for each of their subdomains, – or a pricey wildcard certificate.
Being a highly profitable bank though you think they could just afford a wildcard cert… herp derp indeed.
According to Wikipedia it’s not possible to get a wildcard Extended Validation Certificate which sounds about right – EV certs appeal to banks as they have a higher level of company validation, although not of security, hence the green company name appearing in browsers like Firefox.
I suspect they might have separate certs to avoid a compromise of the website SSL cert & key, which would lead to an ability to man-in-the-middle National Bank online banking traffic.
From National Bank, about ~11hr response time to their 24×7 fraud & security hotline:
Last night, part of our infrastructure experienced a hardware failure
resulting in several bank site being unavailable for a period of time.
We sincerely apologise for any inconvenience this unplanned outage
Technicians restored service approx 10:25pm last night.
If you continue to experience any issues we would advise to clear your
browser cache or test with an alternative browser.
Hardware failure sounds a bit dubious, but will give them benefit of the doubt – if a key load balancer failed, it’s possible other infrastructure just decided to forward hits to the main website and that would be reported as a H/W fault.
Of course with the main website not having the domain in it’s certificate, it’s a bad way to address failures – better to have a user directed to a separate “sorry, unexpected fault occurring” webpage on the secure.nbnz.co.nz domain if there’s a technical issue.
I’ve seen Kiwibank fail to renew their cert on time. -.-
Oh that’s pretty awesome. :-) we do nagios checks of our certs these days to notify of expiry in advance, since engineers tend not to ignore it
Obviously the connection is untrusted.
Well yes, and also no.
Yes; in that all internet connections should be considered untrusted, as in you don’t know what organizations or individuals may have access to the traffic going between you and your destination.
No; in that that certificate is a valid trusted cert – the certificate validates as a legitimate Verisign-signed National Bank owned certificate
This means that excluding stolen certificates or hacked National Bank servers, the connection is at least validated as being connected to the bank.