I wish I understood SSL Certificates better when they ask

Discussion in 'Linux Networking' started by Werner Obermeier, Jun 13, 2015.

  1. I wish I understood SSL Certificates better when they ask
    me to accept a certificate from my bank.


    How do I make this decision?

    Just now, I logged into my Bofa account from my home using
    the same browser and computer and IP address that I normally

    Bofa allowed me to log in, but, when I hit one of the billpay
    options, it asked me to download that SSL certificate because
    the previous certificate expired a few days ago.

    You'd think that a big bank would fix this in 3 days.
    Also, I'm using my normal browser & IP address.
    And, the domain appears to be a valid domain.

    How do I decide if I should accept this certificate?

    PS: I obfuscated the URL just in case it was specific to my
    BofA account. Did I need to do that or does the URL not matter?
    Werner Obermeier, Jun 13, 2015
    1. Advertisements

  2. Werner Obermeier

    Bit Twister Guest

    I wish you knew how to cross post. :-(

    Had not somebody not replied to you post I never would have seen it.
    Linux question and any Windows news group means the post is not seen
    by me.
    Well, at least you know any malware in your setup is the same.
    I would abort.
    You would think the customer's would call and ask about the certificate.
    Did you call the security department. I would.

    I used to use BOA. One day I clicked View Source and saw the web page
    calling an external third party ad server. Next day drove over to the bank and
    closed my account. That was when criminals were cracking into ad
    servers fairly often.
    Which tells us the problem can be on your side just as easily on theirs.
    Call the bank security phone number.
    Usually all we would need is up to the first / after .com. So,

    $ nslookup sso-fi.bankofamarica.com

    Non-authoritative answer:
    Name: sso-fi.bankofamarica.com

    $ whois


    OrgName: Limestone Networks, Inc.
    OrgId: LIMES-2
    Address: 400 S. Akard Street
    Address: Suite 200
    City: Dallas
    StateProv: TX
    PostalCode: 75202
    Country: US
    RegDate: 2007-12-04


    Off hand, does not look good enough for me. So,

    $ whois bankofamarica.com

    Registrar: ENOM, INC.
    Sponsoring Registrar IANA ID: 48
    Whois Server: whois.enom.com
    Referral URL: http://www.enom.com
    Name Server: NS1.HASTYDNS.COM
    Name Server: NS2.HASTYDNS.COM
    Registry Registrant ID:
    Registrant Name: WHOIS AGENT
    Registrant Street: PO BOX 639
    Registrant Street: C/O BANKOFAMARICA.COM
    Registrant City: KIRKLAND
    Registrant State/Province: WA
    Registrant Postal Code: 98083
    Registrant Country: US
    Registrant Phone: +1.4252740657
    Registrant Phone Ext: 901
    Registrant Fax: +1.4259744730

    Yeah, that looks a bit better. Again, I would call the banks's
    security team.

    Couple of places where the problem is on your system could be the
    router, your dns resolver, in memory malware, malware installed on the
    system or the browser's dns cache/bookmarks or you mistype the BOA url.

    My bank suggests you always exit the browser before attempting to log
    into the web site. That way the browser's dns cache will not have
    poisoned by some infected web site you surfed before doing bank work.
    If some malware modified your browser bookmark for BOA, you are screwed.

    I hope your bank have a usage alarm feature. I have set alarms on my
    check/savings account to send me an email if more than ten cents is
    paid out. I have a hourly cron job checking my all email accounts for any

    If you were running Intrusion Detection Software, you would have a
    chance of knowing you have malware installed on the drive. Some examples:
    unhide, aide, osiris, ossec-hids, samhain, tripwire, snare, integrit, rkhunter

    Personally I use AIDE, Rkhunter, and unhide.

    The other two failure points are the router and your pc dns resolver.

    If you were to read http://www.catb.org/~esr/faqs/smart-questions.html
    you might notice that you should provide some information about your setup.

    You know, hardware, OS, release, desktop, .....

    That information can help subject matter experts provide you with
    exact commands and information on where/what to look for to solve your

    In my stupid opinion, you need to know that your PC has the correct
    dns servers set, and if the router has the correct dns servers set by
    your ISP.

    My effort to avoid the dns/memory/cache/typing problems involve separate
    linux accounts for surfing, bank, credit card.

    When I log into my linux bank account, it verifies the ip addresses
    that I know my bank uses. It then launches "firefox index.html".
    That page has bank contact information and links to the bank's web
    page and the bank's login url.

    That keeps me from mis-typing any url and having a poisoned cache.
    When I log out of the linux account, it deletes everything and tars in
    a pristine copy of everything.

    To bypass getting invalid dns servers from my ISP on the pc, and
    avoiding any router crack which uses the criminal's dns servers, I run
    my own dns server (named) on the PC.
    Bit Twister, Jun 13, 2015
    1. Advertisements

  3. I just tried and they fixed it (a few hours after I had reported it to them).

    What I don't get still, is what happened, or, more importantly, what
    *should* have happened when BofA updated its "certificates"?

    I presume the certificating authority hands them a new certificate.

    But, how does that just-today-updated certificate get back to my browser?
    Werner Obermeier, Jun 13, 2015
  4. You'll notice that the tabs in the screenshot are open to 3 tabs:

    1. online banking
    2. certificate services
    3. contacting Bank of America

    My first call got someone who said to just accept whatever the bank
    web site gives me. When I protested, they said to call the online
    banking instead of customer service.

    My second call went to online banking, who took down my information
    but said they had never heard of the problem before.

    My third call went to the supervisor of that person who, when I asked
    if they knew what SSL meant, said they did not (so I realized I was
    not going to get a straight answer from her on that call).

    At that point, I had posted my question to you.

    Luckily, I received a call back from the third person (the online
    banking support supervisor) who had checked with their third-party
    IT people who confirmed there was some kind of unspecified problem
    that they were working on.

    Hours later, they fixed it (I just logged in).

    I'm not sure what happened though, as I briefly saw a URL for something
    like sso.bankofamerica.com (or something like that) and then it just
    went to online banking (without asking me any questions).

    So, what was that brief intermediary URL doing?
    Werner Obermeier, Jun 13, 2015
  5. I'm not sure what I did wrong, as I "think" I know how to
    crosspost. I just didn't set any followup newsgroup.

    Is that what you mean by not knowing how to crosspost?
    Did you want me to set a followup newsgroup?
    I did abort.

    But I don't understand why it took the bank 3 days to realize
    their certificate expired, and, more to my point, how the *new*
    updated certificate is supposed to get into my browser.
    After my third call to BofA to no avail, I had posted the question here.
    (See details in my prior post.)
    You have a typo there.
    It's "america" (not amarica).

    $ nslookup sso-fi.bankofamarica.com

    Non-authoritative answer:
    Name: sso-fi.bankofamarica.com

    $ ^amarica^america
    nslookup sso-fi.bankofamerica.com

    Non-authoritative answer:
    sso-fi.bankofamerica.com canonical name = saml-bac.onefiserv.com.
    saml-bac.onefiserv.com canonical name = saml-bac.gslb.onefiserv.com.
    Name: saml-bac.gslb.onefiserv.com
    Again, it's "america" (not amarica).

    $ whois bankofamerica.com
    I was already logged into the BofA account, so, it couldn't have been
    a typo on my part. It failed when I hit the billpay button.

    In the end, their certificate had expired. But, what I don't understand
    is how I'm supposed to know what to do based on the information presented
    to me of the certificate having expired 3 days ago.

    Also, how does the *new* certificate get to me?

    I didn't explicitly load it (but I did see something briefly happening
    in the background when I successfully logged in a few minutes ago).

    What happened in the background?
    Did BofA somehow transfer the new certificate to me under the covers?
    My browser is set to dump everything upon each invocation, so, the
    chances of that being the problem is slim (but it's a good suggestion).
    $ unhide
    The program 'unhide' is currently not installed.
    You can install it by typing:
    sudo apt-get install unhide

    $ aide
    The program 'aide' can be found in the following packages:
    * aide
    * aide-dynamic
    * aide-xen
    Try: sudo apt-get install <selected package>

    $ rkkhunter
    No command 'rkkhunter' found, did you mean:
    Command 'rkhunter' from package 'rkhunter' (universe)
    rkkhunter: command not found

    I'll look them up and decide if I want to install them.
    Thank you for the suggestions.
    I don't see how the router is involved other than it has the DNS setup.

    Both my primary and secondary DNS servers are typical:
    Primary DNS server =
    Secondary DNS server =

    I'm not sure how to test that this is truly the case though, but,
    that's what I had set up in my home broadband router long ago.
    Werner Obermeier, Jun 13, 2015
  6. The web server sends it to your browser as part of the connection setup.
    Richard Kettlewell, Jun 13, 2015
  7. Am 13.06.2015 um 07:13 schrieb Werner Obermeier:
    By your browser, of course. It again checks the certificate against the
    chain of trust, i.e. it checks who issued the certificate, and validates
    that this is certified against one of the root certificates that are
    installed on your Os or browser. So for example, if our university sets
    up a new web server, we obtain a new certificate from the DFN (German
    Research network) which is again certified against the Telekom (German
    phone company), and the Telekom root cert comes with the Mozilla
    browser. So the browser trusts our cert because it can check that it
    comes from the DFN, and Telekom trusts the DFN, and the browser trusts
    Telekom because that's a cert that came with the browser.

    For that to work, of course, the DFN has to enforce certain policies
    when handing out certs, namely that they know who is the issuer and can
    validate the correctness, and the Telekom has to enforce certain
    policies to enforce that the DFN only hands out their certs under proper

    Unfortunately, some certificate authorities did not enforce policies
    correctly and handed out certs for URLs like www.google.com, allowing to
    sign traffic as if it would come from google, for example. Such root
    certs are then blacklisted and removed from browsers.

    Thomas Richter, Jun 13, 2015
  8. On 2015-06-13 05:13 +0000, Werner Obermeier wrote:

    Werner> But, how does that just-today-updated certificate get back to my
    Werner> browser?

    The browser doesn't contain a copy of every site's certificate. If it
    did, it would be impossible to browse random https:// URLs without
    endless warnings.

    Instead, the browser (or more likely the SSL library it is linked with)
    checks that the certificate presented by the site is signed by the CA.
    In the simplest case, where the signing CA is a root CA, the CA
    certificate _is_ stored locally. There are only a few dozens of those,
    and they are typically distributed together with the browser software.

    A more complex case is when the signing CA is an intermediate CA. I
    won't pretend I understand this situation completely, but I think in
    this case the site must send the entire chain of signing CA certificates
    up to the root, and the browser checks the validity of signatures in
    each step of the chain.

    Ian Zimmerman, Jun 13, 2015
  9. Thanks for that tip.

    That site gave a quick overview, which cleared up some things, but,
    it still didn't even mention HOW my browser knows to trust that a
    particular CA signed the BofA certificate.

    How does "my" browser know to trust any particular signing authority?
    Werner Obermeier, Jun 14, 2015
  10. I guess the part that eludes me is how these root certificates *get* on
    my system.

    Did "I" put the "root certificates" there? (somehow?)
    Did the operating system ISO put them there?
    Did the browser installation pout them there?

    How would I find them on my system?
    And, how do I make sure nobody messes with them without me knowing it?
    Werner Obermeier, Jun 14, 2015
  11. I think the entire concept of the "root" certificate is what eludes me.

    Let's assume the BofA gave me a new certificate yesterday.
    How did my browser validate with a "root" certificate that this was legit?
    Werner Obermeier, Jun 14, 2015
  12. The distribution provides a list of trusted root certificates, usually
    based on what mozilla considers trusted. In Mageia linux, the package
    is called rootcerts.

    The files are in subdirectories of /etc/ssl and /etc/pki.

    The website provides all certificates in the signing chain, except for
    the root certificate.

    Additional root certificates can be installed in the user's configuration
    directory for a particular browser.

    Regards, Dave Hodgins
    David W. Hodgins, Jun 14, 2015
  13. Yes. Browsers come with a list of high level signing authorities that
    are supposed to be trusted.
    William Unruh, Jun 14, 2015
  14. I seem to have the following files:

    -rw-r--r-- 1 root root 10835 Jul 15 2013 openssl.cnf
    /etc/ssl/certs/{tons of "verisign" files}
    /etc/ssl/private/ssl-cert-snakeoil.key (only this one file)

    -rw-r--r-- 1 root root 9216 Feb 19 05:33 cert9.db
    -rw-r--r-- 1 root root 11264 Feb 19 05:33 key4.db
    -rw-r--r-- 1 root root 449 Feb 19 05:33 pkcs11.txt
    -rw-r--r-- 1 root root 16384 Feb 19 05:33 secmod.db

    Does that give you any insight into what I have?
    Werner Obermeier, Jun 14, 2015
  15. Are their root certificates stored in the browser installation directory
    or in the root hierarchy?
    Werner Obermeier, Jun 14, 2015
  16. Either in the /etc files, or in the browser config files. For example,
    on my system, firefox uses
    for root certificates I've approved, that are not in the /etc directories.

    The kh7grkug is a random string generated the first time firefox is
    run, so it will be different on your system.

    Regards, Dave Hodgins
    David W. Hodgins, Jun 14, 2015
  17. That's pretty much the same as what I have. If you get a certificate that
    fails to verify, check to see if it's only because of the it having
    expired. If that is the case, don't worry about it, though it would be
    a good idea to notify the web site maintainer. It's easy to forget to
    renew a certificate.

    Regards, Dave Hodgins
    David W. Hodgins, Jun 14, 2015
  18. In chrome look at chrome://settings/certificates to see what chrome sees
    as the authorities.
    William Unruh, Jun 14, 2015
  19. Apparently, in 2015, the US government advised uninstalling that software
    that came bundled with Lenovo products because of a root certificate
    security issue.

    "The installation included a universal self-signed certificate authority;
    the certificate authority allows a man-in-the-middle attack to introduce
    ads even on encrypted pages. The certificate authority had the same
    private key across laptops; this allows third-party eavesdroppers to
    intercept or modify HTTPS secure communications without triggering
    browser warnings by either extracting the private key or using a self-
    signed certificate.[4][7][19][20] On February 20, 2015, Microsoft
    released an update for Windows Defender which removes Superfish"
    Werner Obermeier, Jun 14, 2015
  20. I wasn't sure, after reading that article alone, how you were supposed
    to *know* if you had that software installed though.

    There were no tell-tale signature files to look for listed.
    Werner Obermeier, Jun 14, 2015
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.