Aractus

Blog of Daniel Baxter, now secure! :)

Free SSL from Let's Encrypt!

The Commonwealth Bank loses its green bar!

UPDATE: Corrections made (01/04/2017).

Here’s a look at Australia’s “big four”… first in Firefox:

banks-ff

And then in Chrome:

banks-chrome

Notice anything? Where’s the green EV Bar? Should you be concerned. Well if you’re a CommBank customer – absolutely you should.

I have just sent a short email to Commbank informing them their website appears to be hacked. Appears to be – it isn’t, but with the green EV Bar that’s exactly what customers should assume has happened. This is what separates a genuine banking website from a fraudulent one. Anyone can get a domain-verified certificate, even me! Furthermore – they’re free! But there’s a big difference, I’m not asking you to enter your credit card number or other sensitive information in to my site – at most you might enter a comment with your name/pseudonym and email address in it.

So what has happened? Well to put it delicately – Symantec has made a huge fuck-up. They were found to have miss-issued over thirty thousand SSL certificates, and as a result punitive action has been taken by Google. The first phase of that action is to no longer recognise EV signed by Symantec. Google will then move to distrust all Symantec issued certificates older than nine months.

Update: It turns that previous paragraph was incorrect. It was an entirely unrelated bug in Chrome. It’s easy for us laypeople to confuse security issues, especially as this happened at the same time as Google announces their policy to revoke EV status. Anyway, this makes the remainder of this post no longer relevant.

The thing that makes me unhappy is that I don’t think they have gone far enough. This is the same shit that happened with WoSign (see here), and yet their rubbish certificates from their corrupt CA are still trusted!! Can you believe it? One third of https websites use Symantec SSL certificates. Given the impact and implication of this, I cannot understand why Google and Mozilla don’t distrust the authority outright effective from 2013 when the problem was first discovered? I mean, call me fucking cynical, but why are they now only taking punitive action FOUR goddamned years in the future? I mean in 2015 they made a goddamned counterfeit EV SSL certificate for GOOGLE.COM – that act alone should have got them booted from ever issuing another trusted certificate again. Who the fuck knows what they could have done in the one day they had that certificate – was it operated by the CIA for a covert operation perhaps?

Symantec and WoSign both need to be distrusted permanently. If this were any other security industry there would be no second chances. And by the way, shame on Google for not making it easy for users to see who the certificate issuer is when we click on the green padlock. And Mozilla – step up your fucking game and tear these rogue CA’s a new one.

 

You can leave a response, or trackback from your own site.

Leave a Reply