2

My bank's website, while always having had a 'green lock' in the address bar doesn't have this anymore. I then called the bank with a phone number I found on the same website, and asked that the operator read the serial number of the certificate to me. She refused to do this and insisted I would read the serial number to her, and she would verify her.

I denied this and explained her that I cannot trust her telephone number. While having her read the serial number doesn't give me much security (after all, if I'm talking to a hacker, she would read to me the serial number of the invalid certificate), I didn't feel comfortable reading the serial number to her - it makes it to easy to just say "Yeah, that's correct".

I don't know why she refused to give me the serial number (does she really think this is sensitive information? I hope not. More likely, they trained her to not give "too much" information.)

But this made me thinking. What should I do in case the certificate of my bank's website shows as weak, invalid, expired, ...?

Note: I'm extra cautious today as this is the second bank website I'm visiting today which doesn't have a green lock. The other one even had a red cross. I don't know if my browser / computer is compromised or that it's just Chromium being more reluctant to accept SHA-1 signatures. When I phoned the other bank, he didn't even want to verify the serial number with me, and after that it took me ten minutes to convince him to make a note about the certificate for his superiors, which I'm quite sure he won't do. What a world we live in.

The websites of the banks are: ASN bank and ING bank.

  • 1
    https://www.ssllabs.com/ssltest/analyze.html?d=www.asnbank.nl&hideResults=on tells me there's an A rating. https://www.ssllabs.com/ssltest/analyze.html?d=ideal.secure-ing.com&hideResults=on tells me there's an A+ rating. Not sure what's wrong with your browser – Jeroen Aug 11 '15 at 15:55
  • @Jeroen-ITNerdbox in the "Additional certificates" section you can see the VeriSign certificate uses SHA-1, [which Chromium doesn't like](http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html). They have had almost a year to get a stronger certificate. –  Aug 11 '15 at 16:00
  • 1
    Yes, but that's the root CA that uses SHA1 not the banks. – Jeroen Aug 13 '15 at 03:38
  • @Jeroen-ITNerdbox you're right. Searching a bit gives me https://code.google.com/p/chromium/issues/detail?id=488305. I think it's this issue. –  Aug 13 '15 at 09:15

1 Answers1

4

The green lock indicates that an Extended Validation Certificate is being used. This means that the organisation has gone through some extended checks before the certificate is issued for their domain.

You should be right to be suspicious if this suddenly changes to a DV or OV certificate (Domain Validated or Organisation Validated), which are easier to obtain, and hard for a user to distinguish between. Checking the certificate is valid is a good move, however bear in mind that you should be checking the thumbprint, not the serial number.

You can check online SSL thumbprints using services such as this one on GRC.

Mandatory attrition link.

Note that if you were the subject of a targeted attack, a Man In The Middle could alter the GRC page to show you the certificate fingerprints that she was spoofing. Unlikely, but important to include this information here because it is easily technically possible. You could check the GRC page via TOR or via another connection (e.g. via 3/4G) in order to verify your main connection has not been MITM'd (and in fact the sites themselves to see if they have the same thumbprint).

It is likely that a bank telephone operator isn't technical enough to know what a serial number is and what the consequences of giving it you are.

But this made me thinking. What should I do in case the certificate of my bank's website shows as weak, invalid, expired, ...?

For one thing, do not use the site at all for any sensitive information. Yes phone the bank, using a trusted phone number (e.g. from the back of your bank card), but ask to speak to somebody from technical support for the website and explain the issue to them.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • I didn't think of looking at my card, that's a good idea. Unfortunately, they didn't put it there(!) I found their number on old correspondence though. Anyway, thanks for your information. –  Aug 11 '15 at 15:47