unknown certificate authority error with bank site

tester · External Since: Jul 09, 2007 Posts: 2

This message is not archived

Mark Shroyer · External Since: Jul 01, 2007 Posts: 18

On 2007-07-09, tester <test.TakeThisOut@none.invalid> wrote:
> https://www.myctfs.com (a bank) gives me an "unknown
> certificate authority" error. How serious a problem
> is this? What should I tell the admin in order to get
> the site fixed with as little argument as possible?
> If you have access to a variety of OS+browsers, please
> comment on which report a problem.
>

Hmm, they seem to be authenticated by VeriSign's Class 3 CA, which
under normal circumstances should be "installed" by default in most
web browsers / operating systems... my is that it's probably a
configuration issue at your end. (Unless somebody is actively
subjecting you to a man-in-the-middle attack; unlikely, but this is
the sort of warning you'd expect to see in that case.)

If it is a configuration issue with your system then I'd expect to
see similar problems with a bunch of other sites, too. Check your
web browser to ensure that VeriSign's CAs are installed (in Firefox,
go to Edit -> Preferences -> Advanced -> Encryption -> View
Certificates -> Authorities).

Mark

--
Mark Shroyer
http://markshroyer.com/

Steve Sentoff · External Since: Jul 09, 2007 Posts: 4

I see this same error, with Firefox 2.0.0.4 and its set of certificates
loaded. I've got a lot of VeriSign certificates, but not that one.
Since anyone can assert the certificate is from VeriSign, I'd be very
leery of this one. I wouldn't connect to this site until I had got a
very believable explanation from someone who knew what was going on.

--
Steve

Mark Shroyer wrote:
> On 2007-07-09, tester <test RemoveThis @none.invalid> wrote:
>> https://www.myctfs.com (a bank) gives me an "unknown
>> certificate authority" error. How serious a problem
>> is this? What should I tell the admin in order to get
>> the site fixed with as little argument as possible?
>> If you have access to a variety of OS+browsers, please
>> comment on which report a problem.
>>
>
> Hmm, they seem to be authenticated by VeriSign's Class 3 CA, which
> under normal circumstances should be "installed" by default in most
> web browsers / operating systems... my is that it's probably a
> configuration issue at your end. (Unless somebody is actively
> subjecting you to a man-in-the-middle attack; unlikely, but this is
> the sort of warning you'd expect to see in that case.)
>
> If it is a configuration issue with your system then I'd expect to
> see similar problems with a bunch of other sites, too. Check your
> web browser to ensure that VeriSign's CAs are installed (in Firefox,
> go to Edit -> Preferences -> Advanced -> Encryption -> View
> Certificates -> Authorities).
>
> Mark
>

tester · External Since: Jul 09, 2007 Posts: 2

This message is not archived

Mark Shroyer · External Since: Jul 01, 2007 Posts: 18

On 2007-07-09, Steve Sentoff <steve30401 RemoveThis @hotmail.com> wrote:
> I see this same error, with Firefox 2.0.0.4 and its set of certificates
> loaded. I've got a lot of VeriSign certificates, but not that one.
> Since anyone can assert the certificate is from VeriSign, I'd be very
> leery of this one. I wouldn't connect to this site until I had got a
> very believable explanation from someone who knew what was going on.

I was probably unclear about this point, but what I meant to say is
that the site's certificate actually checks out as valid with my
Firefox 2.0.0.4 default CA set. That is, assuming that I can trust
the CA keys distributed with my copy of Firefox, the site I'm
personally able to connect to at http://myctfs.com/ (which we can't
necessarily trust to be the same site you're reaching at that
address from your side of the network) is authenticated by VeriSign.

But you're right, of course: if the original poster cannot
personally verify this site's certificate, he should absolutely stay
away until the company has given him a clear explanation of what's
going on. That two people have reported problems verifying this
site's identity is pretty darn suspicious...

--
Mark Shroyer
http://markshroyer.com/

s. keeling · External Since: Jul 07, 2007 Posts: 79

Mark Shroyer <usenet-mail.TakeThisOut@markshroyer.com>:
> On 2007-07-09, Steve Sentoff <steve30401.TakeThisOut@hotmail.com> wrote:
> > I see this same error, with Firefox 2.0.0.4 and its set of certificates
> > loaded. I've got a lot of VeriSign certificates, but not that one.
> > Since anyone can assert the certificate is from VeriSign, I'd be very
>
> I was probably unclear about this point, but what I meant to say is
> that the site's certificate actually checks out as valid with my
> Firefox 2.0.0.4 default CA set. That is, assuming that I can trust
> the CA keys distributed with my copy of Firefox, the site I'm
> personally able to connect to at http://myctfs.com/ (which we can't
> necessarily trust to be the same site you're reaching at that
> address from your side of the network) is authenticated by VeriSign.
>
> But you're right, of course: if the original poster cannot
> personally verify this site's certificate, he should absolutely stay
> away until the company has given him a clear explanation of what's
> going on. That two people have reported problems verifying this
> site's identity is pretty darn suspicious...

Three people. FF/Iceweasel 2.0.0.4

--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.

Mark Shroyer · External Since: Jul 01, 2007 Posts: 18

On 2007-07-09, s. keeling <keeling DeleteThis @nucleus.com> wrote:
> Mark Shroyer <usenet-mail DeleteThis @markshroyer.com>:

[...]

>> But you're right, of course: if the original poster cannot
>> personally verify this site's certificate, he should absolutely stay
>> away until the company has given him a clear explanation of what's
>> going on. That two people have reported problems verifying this
>> site's identity is pretty darn suspicious...
>
> Three people. FF/Iceweasel 2.0.0.4

I just tried again and am now being served the suspect certificate
as well. I'd be less concerned if they clearly were accidentally
serving some internal self-signed certificate; however, this cert's
issuer DN that it is from VeriSign, even though it doesn't validate
as such. So yeah, suspicious.

--
Mark Shroyer
http://markshroyer.com/

Peter Pearson · External Since: Nov 01, 2004 Posts: 44

On Mon, 9 Jul 2007 10:11:09 +0000 (UTC), tester <test.RemoveThis@none.invalid> wrote:
> https://www.myctfs.com (a bank) gives me an "unknown
> certificate authority" error. How serious a problem
> is this? What should I tell the admin in order to get
> the site fixed with as little argument as possible?
> If you have access to a variety of OS+browsers, please
> comment on which report a problem.

At this web page:

http://www.verisign.com/support/advisories/page_040611.html

Verisign explains the (new, as of April 2006) need for an
"Intermediate CA Certificate", and explains how things will
malfunction if said certificate is not installed on the
server. I think this is the problem you report. I think
www.myctfs.com is not providing the complete "trust chain"
back to the Verisign Class 3 Public Primary Certification
Authority that is (presumably) installed in your browser.

So, most likely, www.myctfs.com has goofed up their certificate
handling. But you can't be sure, can you?

--
To email me, substitute nowhere->spamcop, invalid->net.

Rich Leitner · External Since: Jul 11, 2005 Posts: 37

Peter Pearson wrote:
> On Mon, 9 Jul 2007 10:11:09 +0000 (UTC), tester <test.DeleteThis@none.invalid> wrote:
>> https://www.myctfs.com (a bank) gives me an "unknown
>> certificate authority" error. How serious a problem
>> is this? What should I tell the admin in order to get
>> the site fixed with as little argument as possible?
>> If you have access to a variety of OS+browsers, please
>> comment on which report a problem.
>
> At this web page:
>
> http://www.verisign.com/support/advisories/page_040611.html
>
> Verisign explains the (new, as of April 2006) need for an
> "Intermediate CA Certificate", and explains how things will
> malfunction if said certificate is not installed on the
> server. I think this is the problem you report. I think
> www.myctfs.com is not providing the complete "trust chain"
> back to the Verisign Class 3 Public Primary Certification
> Authority that is (presumably) installed in your browser.
>
> So, most likely, www.myctfs.com has goofed up their certificate
> handling. But you can't be sure, can you?
>

Yes, I've experienced it as well. Usually, it is a misconfigured Apache
server. Verisign addressed this problem as Peter stated, but it seems
that many administrators either didn't bother to configure properly, or
didn't know how. A few months later, it happened to me on my very own
site ... took me a few days to figure out how to fix it.

On the other hand, I wouldn't take any chances ... the warning might be
for another reason.

Rich