FNB cert problem?

The fnb.co.za cert uses Entrusts L1K cert - 26/2014-27/2014

Screen Shot 2021-10-13 at 12.06.05 PM.png


The working www.fnb.co.za uses a different chain cert.
Interestingly the www has additional SAN's in the list eg fnbci.co.uk

Screen Shot 2021-10-13 at 12.07.36 PM.png


If we check the FNB cert itself (for fnb.co.za) - we can see certificate transparency is No, so that fails CT policy (described here - https://support.apple.com/en-us/HT205280 ). So can definitely conclude its an SCT issue, as I suspected.

Banks - you'd think they had their **** together with regards to security... sheesh, embarrassing.

Screen Shot 2021-10-13 at 12.11.54 PM.png

Compare to the www.fnb.co.za cert - Screen Shot 2021-10-13 at 12.17.26 PM.png
 
Before anyone goes - its an Apple thing, its not.
CT compliance is an industry wide compliance requirement.

Eg - Chrome

Webscale Commerce Infrastructure and Agentic AI Platform

Webscale powers high performance commerce with secure cloud hosting, application delivery, and agentic AI that boosts speed, uptime, and conversions for Adobe, Magento, Shopware, and Woo stores.
www.section.io www.section.io

Simply astounding that a major bank can mess this up. Is their dev/testing department asleep?
 
itareanlnotani said:
Simply astounding that a major bank can mess this up. Is their dev/testing department asleep?
Click to expand...

Certs are one of those issues that sneak up on you from nowhere if you don't specifically make a point of monitoring it and even then if your communication between departments isn't perfect they sometimes still sneak through. We wrote a lambda that crawls our cloud services looking for domains with SSL and verifies their certs and alerts if it finds any that are about to expire. Having humans do that was not as reliable for us.
 
B-1 said:
Certs are one of those issues that sneak up on you from nowhere if you don't specifically make a point of monitoring it and even then if your communication between departments isn't perfect they sometimes still sneak through. We wrote a lambda that crawls our cloud services looking for domains with SSL and verifies their certs and alerts if it finds any that are about to expire. Having humans do that was not as reliable for us.
Click to expand...
Sure, you want to automate as much as you can.
I'm quite happy I don't need to deal with shitty certs that often - only one manually this year.
Letsencrypt has removed a lot of pain points for that in my life.
 
itareanlnotani said:
Sure, you want to automate as much as you can.
I'm quite happy I don't need to deal with shitty certs that often - only one manually this year.
Letsencrypt has removed a lot of pain points for that in my life.
Click to expand...

We are also a Letsencrypt fan but even they fail. For instance we recently had a client block NTP ports on an on premise edge node and the time drifted enough for Letsencrypt to refuse renewal. We have redundant failover so there wouldn't have been downtime but detecting an issue early saved us money and scrambling to rectify the issue.
 
B-1 said:
We are also a Letsencrypt fan but even they fail. For instance we recently had a client block NTP ports on an on premise edge node and the time drifted enough for Letsencrypt to refuse renewal. We have redundant failover so there wouldn't have been downtime but detecting an issue early saved us money and scrambling to rectify the issue.
Click to expand...
USB GPS + GPSD for the win?
 
FNB's "muppets" (and I mean that in a loving way) have pushed another cert which fixes the issue (or what I suspect is rolled back to the older cert, as this "new" one expires in circa 17 days)

1634193119875.png
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X