Got to wonder about your bank when they manage to upload the wrong SSL certificate to one of their webservers. :-/
Every sysadmin has their bad day, but I would have thought a bank would have had a bit more of a test suite and monitoring of their certificates. :-/
There are a surprising number of banks that suffer from this error because they need to buy a cert for each of their subdomains, – or a pricey wildcard certificate.
Being a highly profitable bank though you think they could just afford a wildcard cert… herp derp indeed.
According to Wikipedia it’s not possible to get a wildcard Extended Validation Certificate which sounds about right – EV certs appeal to banks as they have a higher level of company validation, although not of security, hence the green company name appearing in browsers like Firefox.
http://en.wikipedia.org/wiki/Extended_Validation_Certificate
I suspect they might have separate certs to avoid a compromise of the website SSL cert & key, which would lead to an ability to man-in-the-middle National Bank online banking traffic.
From National Bank, about ~11hr response time to their 24×7 fraud & security hotline:
—
Last night, part of our infrastructure experienced a hardware failure
resulting in several bank site being unavailable for a period of time.
We sincerely apologise for any inconvenience this unplanned outage
caused.
Technicians restored service approx 10:25pm last night.
If you continue to experience any issues we would advise to clear your
browser cache or test with an alternative browser.
—
Hardware failure sounds a bit dubious, but will give them benefit of the doubt – if a key load balancer failed, it’s possible other infrastructure just decided to forward hits to the main website and that would be reported as a H/W fault.
Of course with the main website not having the domain in it’s certificate, it’s a bad way to address failures – better to have a user directed to a separate “sorry, unexpected fault occurring” webpage on the secure.nbnz.co.nz domain if there’s a technical issue.
I’ve seen Kiwibank fail to renew their cert on time. -.-
Oh that’s pretty awesome. :-) we do nagios checks of our certs these days to notify of expiry in advance, since engineers tend not to ignore it
;-)
Obviously the connection is untrusted.
Well yes, and also no.
Yes; in that all internet connections should be considered untrusted, as in you don’t know what organizations or individuals may have access to the traffic going between you and your destination.
No; in that that certificate is a valid trusted cert – the certificate validates as a legitimate Verisign-signed National Bank owned certificate
This means that excluding stolen certificates or hacked National Bank servers, the connection is at least validated as being connected to the bank.