Re: unknown certificate authority error with bank site

On 2007-07-09, tester <test@none.invalid> wrote:
> https://www.myctfs.com (a bank) gives me an "unknown
> certificate authority" error. How serious a problem
> is this? What should I tell the admin in order to get
> the site fixed with as little argument as possible?
> If you have access to a variety of OS+browsers, please
> comment on which report a problem.
>

Hmm, they seem to be authenticated by VeriSign's Class 3 CA, which
under normal circumstances should be "installed" by default in most
web browsers / operating systems... my is that it's probably a
configuration issue at your end. (Unless somebody is actively
subjecting you to a man-in-the-middle attack; unlikely, but this is
the sort of warning you'd expect to see in that case.)

If it is a configuration issue with your system then I'd expect to
see similar problems with a bunch of other sites, too. Check your
web browser to ensure that VeriSign's CAs are installed (in Firefox,
go to Edit -> Preferences -> Advanced -> Encryption -> View
Certificates -> Authorities).

Mark

--
Mark Shroyer
http://markshroyer.com/

I see this same error, with Firefox 2.0.0.4 and its set of certificates
loaded. I've got a lot of VeriSign certificates, but not that one.
Since anyone can assert the certificate is from VeriSign, I'd be very
leery of this one. I wouldn't connect to this site until I had got a
very believable explanation from someone who knew what was going on.

--
Steve


Mark Shroyer wrote:
> On 2007-07-09, tester <test@none.invalid> wrote:
>> https://www.myctfs.com (a bank) gives me an "unknown
>> certificate authority" error. How serious a problem
>> is this? What should I tell the admin in order to get
>> the site fixed with as little argument as possible?
>> If you have access to a variety of OS+browsers, please
>> comment on which report a problem.
>>
>
> Hmm, they seem to be authenticated by VeriSign's Class 3 CA, which
> under normal circumstances should be "installed" by default in most
> web browsers / operating systems... my is that it's probably a
> configuration issue at your end. (Unless somebody is actively
> subjecting you to a man-in-the-middle attack; unlikely, but this is
> the sort of warning you'd expect to see in that case.)
>
> If it is a configuration issue with your system then I'd expect to
> see similar problems with a bunch of other sites, too. Check your
> web browser to ensure that VeriSign's CAs are installed (in Firefox,
> go to Edit -> Preferences -> Advanced -> Encryption -> View
> Certificates -> Authorities).
>
> Mark
>

On 2007-07-09, Steve Sentoff <steve30401@hotmail.com> wrote:
> I see this same error, with Firefox 2.0.0.4 and its set of certificates
> loaded. I've got a lot of VeriSign certificates, but not that one.
> Since anyone can assert the certificate is from VeriSign, I'd be very
> leery of this one. I wouldn't connect to this site until I had got a
> very believable explanation from someone who knew what was going on.

I was probably unclear about this point, but what I meant to say is
that the site's certificate actually checks out as valid with my
Firefox 2.0.0.4 default CA set. That is, assuming that I can trust
the CA keys distributed with my copy of Firefox, the site I'm
personally able to connect to at http://myctfs.com/ (which we can't
necessarily trust to be the same site you're reaching at that
address from your side of the network) is authenticated by VeriSign.

But you're right, of course: if the original poster cannot
personally verify this site's certificate, he should absolutely stay
away until the company has given him a clear explanation of what's
going on. That two people have reported problems verifying this
site's identity is pretty darn suspicious...

--
Mark Shroyer
http://markshroyer.com/

Mark Shroyer <usenet-mail@markshroyer.com>:
> On 2007-07-09, Steve Sentoff <steve30401@hotmail.com> wrote:
> > I see this same error, with Firefox 2.0.0.4 and its set of certificates
> > loaded. I've got a lot of VeriSign certificates, but not that one.
> > Since anyone can assert the certificate is from VeriSign, I'd be very
>
> I was probably unclear about this point, but what I meant to say is
> that the site's certificate actually checks out as valid with my
> Firefox 2.0.0.4 default CA set. That is, assuming that I can trust
> the CA keys distributed with my copy of Firefox, the site I'm
> personally able to connect to at http://myctfs.com/ (which we can't
> necessarily trust to be the same site you're reaching at that
> address from your side of the network) is authenticated by VeriSign.
>
> But you're right, of course: if the original poster cannot
> personally verify this site's certificate, he should absolutely stay
> away until the company has given him a clear explanation of what's
> going on. That two people have reported problems verifying this
> site's identity is pretty darn suspicious...

Three people. FF/Iceweasel 2.0.0.4


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.

On 2007-07-09, s. keeling <keeling@nucleus.com> wrote:
> Mark Shroyer <usenet-mail@markshroyer.com>:

[...]

>> But you're right, of course: if the original poster cannot
>> personally verify this site's certificate, he should absolutely stay
>> away until the company has given him a clear explanation of what's
>> going on. That two people have reported problems verifying this
>> site's identity is pretty darn suspicious...
>
> Three people. FF/Iceweasel 2.0.0.4

I just tried again and am now being served the suspect certificate
as well. I'd be less concerned if they clearly were accidentally
serving some internal self-signed certificate; however, this cert's
issuer DN that it is from VeriSign, even though it doesn't validate
as such. So yeah, suspicious.

--
Mark Shroyer
http://markshroyer.com/

On Mon, 09 Jul 2007 12:29:47 +0000, tester wrote:

>> If it is a configuration issue with your system then I'd expect to
>> see similar problems with a bunch of other sites, too.
>
> I haven't encountered any similar problems, and I've tried myctfs
> while booted to separate systems with different browsers, using
> same ISP connection. Can you suggest some test cases?
>
>> Check your web browser to ensure that VeriSign's CAs are installed (in
>> Firefox, go to Edit -> Preferences -> Advanced -> Encryption -> View
>> Certificates -> Authorities).
>
> With Firefox 2.0.0.4 I see 15 items listed under VeriSign, including
> these 3 that match the "class 3" description:
>
> Class 3 Public Primary Certification Authority | Builtin Object Token
> Class 3 Public Primary Certification Authority - G2 | Builtin Object Token
> Class 3 Public Primary Certification Authority - G3 | Builtin Object Token

Don't know the answer to your specific question. However I think you
might have already gotten it above. Would point out, am now using Firefox
version 2.0.0.6, compared to your 2.0.0.4. Do a favor and go to Menu Bar
>> Help >> Check for Updates. That option is currently unavailable to me
(greyed out) for reasons unknown to me. There are of course other ways to
update. I would put it on my own list to check if I were you, or even me. ;)

Mark Shroyer wrote:
> On 2007-07-09, tester <test@none.invalid> wrote:
>> https://www.myctfs.com (a bank) gives me an "unknown
>> certificate authority" error. How serious a problem
>> is this? What should I tell the admin in order to get
>> the site fixed with as little argument as possible?
>> If you have access to a variety of OS+browsers, please
>> comment on which report a problem.
>>
>
> Hmm, they seem to be authenticated by VeriSign's Class 3 CA, ...
>
> If it is a configuration issue with your system then I'd expect to
> see similar problems with a bunch of other sites, too. ...
>
> Mark
>

My school just renewed their VeriSign Class 3 web site certificate,
and it has the same problem:

https://hccadvisor.hccfl.edu/

The only think that struck me as odd was that the CA certificate
doesn't seem to include the "CN" attribute. Only this
and a few other VeriSign CA certificates are missing this.
I thought the CN attribute was required?

-Wayne

Wayne wrote:
> Mark Shroyer wrote:
>> On 2007-07-09, tester <test@none.invalid> wrote:
>>> https://www.myctfs.com (a bank) gives me an "unknown
>>> certificate authority" error. How serious a problem
>>> is this? What should I tell the admin in order to get
>>> the site fixed with as little argument as possible?
>>> If you have access to a variety of OS+browsers, please
>>> comment on which report a problem.
>>>
>> Hmm, they seem to be authenticated by VeriSign's Class 3 CA, ...
>>
>> If it is a configuration issue with your system then I'd expect to
>> see similar problems with a bunch of other sites, too. ...
>>
>> Mark
>>
>
> My school just renewed their VeriSign Class 3 web site certificate,
> and it has the same problem:
>
> https://hccadvisor.hccfl.edu/
>
> The only think that struck me as odd was that the CA certificate
> doesn't seem to include the "CN" attribute. Only this
> and a few other VeriSign CA certificates are missing this.
> I thought the CN attribute was required?
>
> -Wayne

I decided to live chat with Verisign on this. They checked,
escalated, checked, and found the problem is the web site
needs to install an intermediate certificate:
Jeff S: It appears that the Intermediate CA certificate has not been installed on the web server.
Jeff S: You will need to obtain the Secure Site Pro Certificate from this page here: http://www.verisign.com/support/veri...-ca/index.html

-Wayne