https://www.myctfs.com (a bank) gives me an "unknown certificate authority" error. How serious a problem is this? What should I tell the admin in order to get the site fixed with as little argument as possible? If you have access to a variety of OS+browsers, please comment on which report a problem.
Les réponses au message de Test@none.invalid (tester)
On 2007-07-09, tester wrote: > https://www.myctfs.com (a bank) gives me an "unknown > certificate authority" error. How serious a problem > is this? What should I tell the admin in order to get > the site fixed with as little argument as possible? > If you have access to a variety of OS+browsers, please > comment on which report a problem.
Hmm, they seem to be authenticated by VeriSign's Class 3 CA, which under normal circumstances should be "installed" by default in most web browsers / operating systems... my is that it's probably a configuration issue at your end. (Unless somebody is actively subjecting you to a man-in-the-middle attack; unlikely, but this is the sort of warning you'd expect to see in that case.)
If it is a configuration issue with your system then I'd expect to see similar problems with a bunch of other sites, too. Check your web browser to ensure that VeriSign's CAs are installed (in Firefox, go to Edit -> Preferences -> Advanced -> Encryption -> View Certificates -> Authorities).
> If it is a configuration issue with your system then I'd expect to > see similar problems with a bunch of other sites, too.
I haven't encountered any similar problems, and I've tried myctfs while booted to separate systems with different browsers, using same ISP connection. Can you suggest some test cases?
> Check your web browser to ensure that VeriSign's CAs are installed (in > Firefox, go to Edit -> Preferences -> Advanced -> Encryption -> View > Certificates -> Authorities).
With Firefox 2.0.0.4 I see 15 items listed under VeriSign, including these 3 that match the "class 3" description:
Class 3 Public Primary Certification Authority | Builtin Object Token Class 3 Public Primary Certification Authority - G2 | Builtin Object Token Class 3 Public Primary Certification Authority - G3 | Builtin Object Token
I see this same error, with Firefox 2.0.0.4 and its set of certificates loaded. I've got a lot of VeriSign certificates, but not that one. Since anyone can assert the certificate is from VeriSign, I'd be very leery of this one. I wouldn't connect to this site until I had got a very believable explanation from someone who knew what was going on.
-- Steve
Mark Shroyer wrote: > On 2007-07-09, tester wrote: >> https://www.myctfs.com (a bank) gives me an "unknown >> certificate authority" error. How serious a problem >> is this? What should I tell the admin in order to get >> the site fixed with as little argument as possible? >> If you have access to a variety of OS+browsers, please >> comment on which report a problem. >> Hmm, they seem to be authenticated by VeriSign's Class 3 CA, which > under normal circumstances should be "installed" by default in most > web browsers / operating systems... my is that it's probably a > configuration issue at your end. (Unless somebody is actively > subjecting you to a man-in-the-middle attack; unlikely, but this is > the sort of warning you'd expect to see in that case.) > If it is a configuration issue with your system then I'd expect to > see similar problems with a bunch of other sites, too. Check your > web browser to ensure that VeriSign's CAs are installed (in Firefox, > go to Edit -> Preferences -> Advanced -> Encryption -> View > Certificates -> Authorities). > Mark >
On 2007-07-09, Steve Sentoff wrote: > I see this same error, with Firefox 2.0.0.4 and its set of certificates > loaded. I've got a lot of VeriSign certificates, but not that one. > Since anyone can assert the certificate is from VeriSign, I'd be very > leery of this one. I wouldn't connect to this site until I had got a > very believable explanation from someone who knew what was going on.
I was probably unclear about this point, but what I meant to say is that the site's certificate actually checks out as valid with my Firefox 2.0.0.4 default CA set. That is, assuming that I can trust the CA keys distributed with my copy of Firefox, the site I'm personally able to connect to at http://myctfs.com/ (which we can't necessarily trust to be the same site you're reaching at that address from your side of the network) is authenticated by VeriSign.
But you're right, of course: if the original poster cannot personally verify this site's certificate, he should absolutely stay away until the company has given him a clear explanation of what's going on. That two people have reported problems verifying this site's identity is pretty darn suspicious...
Mark Shroyer : > On 2007-07-09, Steve Sentoff wrote: > > I see this same error, with Firefox 2.0.0.4 and its set of certificates > > loaded. I've got a lot of VeriSign certificates, but not that one. > > Since anyone can assert the certificate is from VeriSign, I'd be very > I was probably unclear about this point, but what I meant to say is > that the site's certificate actually checks out as valid with my > Firefox 2.0.0.4 default CA set. That is, assuming that I can trust > the CA keys distributed with my copy of Firefox, the site I'm > personally able to connect to at http://myctfs.com/ (which we can't > necessarily trust to be the same site you're reaching at that > address from your side of the network) is authenticated by VeriSign. > But you're right, of course: if the original poster cannot > personally verify this site's certificate, he should absolutely stay > away until the company has given him a clear explanation of what's > going on. That two people have reported problems verifying this > site's identity is pretty darn suspicious...
>> But you're right, of course: if the original poster cannot >> personally verify this site's certificate, he should absolutely stay >> away until the company has given him a clear explanation of what's >> going on. That two people have reported problems verifying this >> site's identity is pretty darn suspicious... > Three people. FF/Iceweasel 2.0.0.4
I just tried again and am now being served the suspect certificate as well. I'd be less concerned if they clearly were accidentally serving some internal self-signed certificate; however, this cert's issuer DN that it is from VeriSign, even though it doesn't validate as such. So yeah, suspicious.
On Mon, 9 Jul 2007 10:11:09 +0000 (UTC), tester wrote: > https://www.myctfs.com (a bank) gives me an "unknown > certificate authority" error. How serious a problem > is this? What should I tell the admin in order to get > the site fixed with as little argument as possible? > If you have access to a variety of OS+browsers, please > comment on which report a problem.
Verisign explains the (new, as of April 2006) need for an "Intermediate CA Certificate", and explains how things will malfunction if said certificate is not installed on the server. I think this is the problem you report. I think www.myctfs.com is not providing the complete "trust chain" back to the Verisign Class 3 Public Primary Certification Authority that is (presumably) installed in your browser.
So, most likely, www.myctfs.com has goofed up their certificate handling. But you can't be sure, can you?
-- To email me, substitute nowhere->spamcop, invalid->net.
Peter Pearson wrote: > On Mon, 9 Jul 2007 10:11:09 +0000 (UTC), tester wrote: >> https://www.myctfs.com (a bank) gives me an "unknown >> certificate authority" error. How serious a problem >> is this? What should I tell the admin in order to get >> the site fixed with as little argument as possible? >> If you have access to a variety of OS+browsers, please >> comment on which report a problem. > At this web page: > http://www.verisign.com/support/advisor … 40611.html > Verisign explains the (new, as of April 2006) need for an > "Intermediate CA Certificate", and explains how things will > malfunction if said certificate is not installed on the > server. I think this is the problem you report. I think > www.myctfs.com is not providing the complete "trust chain" > back to the Verisign Class 3 Public Primary Certification > Authority that is (presumably) installed in your browser. > So, most likely, www.myctfs.com has goofed up their certificate > handling. But you can't be sure, can you?
Yes, I've experienced it as well. Usually, it is a misconfigured Apache server. Verisign addressed this problem as Peter stated, but it seems that many administrators either didn't bother to configure properly, or didn't know how. A few months later, it happened to me on my very own site ... took me a few days to figure out how to fix it.
On the other hand, I wouldn't take any chances ... the warning might be for another reason.
Rich
Vulnerabilite.com ne peut être tenu responsable des propos tenus dans le Newsgroup comp.os.linux.security
(a bank) gives me an "unknown 
Message de Mark Shroyer (usenet-mail@markshroyer.com) (09 Juillet 2007)
Les lecteurs de ce livre lui attribuent une note moyenne de 5/5.<
/font>