Online Banking Security - certificates

v3gout

Well-Known Member
Joined
Mar 30, 2005
Messages
370
After watching a video course about extended validation certificates, I did a quick poll of local banking sites. If I understand it correctly, Chrome will show a green padlock and the registered name of the institution next to the HTTPS URL if an extended validation certificate is in use; it will show a green padlock and 'Secure' if a (less strict) domain validation certificate is in use. FNB, ABSA and Nedbank use an extended validation certificate for their landing pages and online banking; Capitec uses an extended validation certificate for their online banking login; but Standard Bank just uses a domain certificate. How much of a risk is this to Standard Bank customers?
 

PsyWulf

Honorary Master
Joined
Nov 22, 2006
Messages
13,007
Well. Just means the CA hasn't vetted SB as much as the others have been

So theoretically you could upon expiry try scoop the cert up before they renew with a less scrupulous CA,do a dns poisoning and claim the site

Well,that and a few more technical steps

Few people know the difference on the locks
 

infscrtyrisk

Expert Member
Joined
Nov 22, 2014
Messages
1,296
  • Domain Validation
    Domain validated (DV) certificates are issued based on proof of control over a domain name. In most cases, that means sending a confirmation email to one of the approved email addresses. If the recipient approves (i.e., follows the link in the email), then the certificate is issued. If confirmation via email is not possible, then any other means of communication (e.g., phone or snail mail) and practical demonstration of control are allowed. A similar procedure is followed when issuing certificates for IP addresses.
  • Organization validation
    Organization validated (OV) certificates require identity and authenticity verification. It wasn’t until Baseline Requirements were adopted that the procedures for OV certificates were standardized. As a result, there was (and still is) a lot of inconsistency in how OV certificates were issued and how the relevant information was encoded in the certificate.
  • Extended validation
    Extended validation (EV) certificates also require identity and authenticity verification, but with very strict requirements. They were introduced to address the lack of consistency in OV certificates, so it’s no surprise that the validation procedures are extensively documented, leaving little room for inconsistencies.
Issuance of DV certificates is fully automated and can be very quick. The duration depends largely on how fast the confirmation email is answered. On the other end of the spectrum, it can take days or even weeks to obtain an EV certificate.

-- Ivan Ristić. Bulletproof SSL and TLS (Kindle Locations 1797-1809). Feisty Duck Limited.

The lack of extensive validation means that there is a risk that someone, with very little effort, could impersonate the site. Having said that, EV is not a panacea (there are many documented cases of CAs not performing validation correctly, the most recent one was StartEncrypt) and there are many other risks besides this one. I am fairly sure that they have taken some good technical countermeasures (such as certificate pinning in apps) and being a financial institution, they can also afford the services of organisations such as Cyota (now RSA).
 
Last edited:
Top