Closed Bug 398210 Opened 15 years ago Closed 15 years ago

onlineid.bankofamerica.com sending incomplete SSL certificate chain

Categories

(Tech Evangelism Graveyard :: Other, defect)

x86
Windows XP
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: nelson, Unassigned)

References

()

Details

The SSL server certificate for https://onlineid.bankofamerica.com/ was
replaced (renewed) in August 2007.  The new certificate is issued by an
intermediate Verisign CA, but as of this writing, the server is not sending 
out the intermediate CA certificate.  The server is sending only its own 
server cert, not a complete certificate chain.  Consequently, when users of 
any browser except IE visit that web site, they get a bad certificate dialog, 
due to the incomplete certificate chain.  IE users typically do not have this problem because IE saves a copy of all valid intermediate CA certificates 
that it encounters, and so is able to supply the missing intermediate CA 
certificate.

According to the representative of the bank's Certificate Administration
department in Dallas, with whom I spoke today, the bank is aware of the 
issue.  The position stated to me included these points:

- the site works with MS IE
- the bank recommends that its users use only MS IE with their site
- the proposed solution for users of other browsers is for those users 
  to install the missing intermediate CA certificate in their browsers,
  so that they work like IE.

A member of the customer service department informed me that the onlineid
server has been superseded by 
    https://sitekey.bankofamerica.com/sas/signonScreen.do
That new server sends out a complete cert chain and does not exhibit the 
problem.  So apparently the workaround, perhaps the solution, is for users 
to change their bookmarks to go to that new URL instead of the older 
onlineid site.
If the bank's attitude is "Use IE" at this point in time, after all the ridiculous vulnerabilities IE has been shown to have, I'm not sure there's a whole lot we can do to change it, but I also don't think this is a very serious problem since there's a workaround and the problematic server might, at some point, be going away.

I think there are probably better ways to use our exceedingly limited TE resources than to worry too much about this bug.
I don't know enough to say, but would updating the "root certificates" have any bearing on this issue, or is it simply a misconfiguration on BoA's end, that would have to wait for them to resolve?

"Microsoft root certificate program members (July 2007)"
http://support.microsoft.com/kb/931125
For years, Verisign issued SSL server certificates whose issuer certificate
was a root CA certificate that was already in all browsers.  So, there was 
no need for any SSL server administrators who used Verisign SSL server 
certificates to ever install anything more than his server's certificate.

But a year or two ago (IIRC), Verisign stopped issuing SSL server certs that
were issued by that old root CA, and started issuing their SSL server certs
from an intermediate CA, whose own cert was issued by a root CA that is found
in all browsers.  That change made it necessary for server admins to install
both their new server cert AND ALSO the intermediate CA certificate in their
servers, so that their servers would send out complete certificate chains 
that chain up to a root cert in the browser, as the SSL and TLS specifications
require.  

One can get the missing Intermediate CA certificate from this URL:

<http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html>

One may read more about this problem and Verisign's advice on how to
handle it at these Verisign URLs:

<http://www.verisign.com/support/advisories/page_029264.html>
<http://www.verisign.com/support/advisories/page_040601.html>
<http://www.verisign.com/support/advisories/page_040611.html>
This now appears to be resolved.
No longer does the certificate warning message pop-up.

-------

Updating the "root certificates" did not have any affect.

I was going to try what was mentioned here, https://bugzilla.mozilla.org/show_bug.cgi?id=327181#c116 to see if that would have worked, but alas, the chance did not present itself.
I agree.  This is now WORKSFORME.

To "Therube", here is another site you can use to try the new web site 
exception feature.  https://www.biglumber.com/x/web?mp=1  
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.