Went to https://www.prepaid.citi.com/ this morning and Firefox wouldn't let me in, complaining of an invalid cert. The cert (below) seems reasonable; issued by a new "Symantec Class 3 Extended Validation SHA256 SSL CA" which isn't in our trust database. -----BEGIN CERTIFICATE----- MIIHIDCCBgigAwIBAgIQff1CntnqD/VnBi9JKm3kPjANBgkqhkiG9w0BAQsFADCB ijELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8w HQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTswOQYDVQQDEzJTeW1hbnRl YyBDbGFzcyAzIEV4dGVuZGVkIFZhbGlkYXRpb24gU0hBMjU2IFNTTCBDQTAeFw0x NjAyMDkwMDAwMDBaFw0xODAyMDkyMzU5NTlaMIIBFjETMBEGCysGAQQBgjc8AgED EwJVUzEZMBcGCysGAQQBgjc8AgECDAhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0 ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzIxNTQyNTQxCzAJBgNVBAYTAlVTMQ4w DAYDVQQRDAUxMDA0MzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZ b3JrMRgwFgYDVQQJDA8zOTkgUGFyayBBdmVudWUxFzAVBgNVBAoMDkNpdGlncm91 cCBJbmMuMR4wHAYDVQQLDBVDaXRpIFByZXBhaWQgU2VydmljZXMxHTAbBgNVBAMM FHd3dy5wcmVwYWlkLmNpdGkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAjUNY4vbnen1n4QtHEE/oSIjKMOM8mi6o3xpdJOpQ+1T084MAx2lX1+JN ONfVE5U9UUt7VF8j/CD2+j1Al2pRPofApziOUe2dcb0f0U+dVbrVJ3Tmbl6iIN5R HSvx0HtYHyjU4OZVbULnKOMCY2YX2VEVV9G/tXJ8F5aW1lpPBgKmhLuiegrMb52O PIajz4XU0igdFm7KD6ZDagJfHLaJN/i9/pIYxy1Z9+QBBD1d4MLnzk6TEN1Utedu TE9bzIn6JPjjYGHqgBVU5TBe4yZGud3tNG7JAbF273WCLhNn/pIUwcfAkkks9D07 5/QfMT0sf9OnlC7/qm3zRYs8+pg9wQIDAQABo4IC8TCCAu0wHwYDVR0RBBgwFoIU d3d3LnByZXBhaWQuY2l0aS5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGYGA1UdIARfMF0wWwYLYIZI AYb4RQEHFwYwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMw JQYIKwYBBQUHAgIwGRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgw FoAUsm3j5BQPjDxzQqZamRrTFHW2htswKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDov L3NoLnN5bWNiLmNvbS9zaC5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzAB hhNodHRwOi8vc2guc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc2guc3lt Y2IuY29tL3NoLmNydDCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYA3esdK3oN T6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswAAAFSxGVenQAABAMARzBFAiEAuk8k WqyoF4Ljm20ERk8QLzfDcprvGArngkAoQ44eu1oCID3ahROz5GeA0CcEUAFCO+dm ExFS2E4nOaoWLFevOsttAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN 3BAAAAFSxGVesAAABAMARzBFAiAunvpOpy5Ru+vu2GvBSJRLptJmi5L0lHm1Dbg1 QHKrVAIhAI9dsXHzRUPsKtOAdvBC+eCiXs5Ke5ucETHIFiW0ZVvyAHcAaPaY+B9k gr46jO65KB1M/HFRXWeT1ETRCmesu09P+8QAAAFSxGVeygAABAMASDBGAiEAvRvX iGzukMfgVpCYfhfG+GcSnCU2aiVd9zrPnI1K4fkCIQD2TDUMaNIAQwrNb9LYtuuL G5946Jkxj7lG/A5xxGD//DANBgkqhkiG9w0BAQsFAAOCAQEAJriH3k5+CkPnZMZB JITFkWf8ZaJwUgSFHhOeZbeK3syD2IRj6qA35yfSBnFm6HFcknF8rrb/DivDDS8z Kz7H/L1mLI+KEau/IXxKy3l6ni5dHS9s48vrxdbBkWnSmSo/56oU4xlP4vgpQjKX NStAdiPSYLYOSXh11IcY4bmpQXlLn4ceAHOkmmnzzYPLLA5Q/8X60En+779bPftg cxYDJM7BdCJ98Ymj2u+kwRE9E85KcpXVJhP/qBtIk+U/PjVSXzLiaRxka2fXB2+K BXdS/arw0rC0IEtkIBPRvz8OFjEKrro2qZKi3PHAwhMkprgxEhKrDfpoaCYCbY34 PVbfwQ== -----END CERTIFICATE----- subject=/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2154254/C=US/postalCode=10043/ST=New York/L=New York/street=399 Park Avenue/O=Citigroup Inc./OU=Citi Prepaid Services/CN=www.prepaid.citi.com issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Extended Validation SHA256 SSL CA
Interestingly, this new CA doesn't seem to be listed at https://www.symantec.com/page.jsp?id=roots or in the ZIP file downloadable there. But if it's a fake site, it's still fairly convincing... and besides, all it does (for me) is redirect to www.rfr.citiprepaid.com which *does* have a trusted cert.
(In reply to David Woodhouse from comment #0) > Went to https://www.prepaid.citi.com/ this morning and Firefox wouldn't let > me in, complaining of an invalid cert. The cert (below) seems reasonable; > issued by a new "Symantec Class 3 Extended Validation SHA256 SSL CA" which > isn't in our trust database. Not a bug. That cert is an "intermediate CA", which the server is required to send in the TLS handshake. If it didn't, the server was configured incorrectly. We don't add intermediate CAs to the trust store. Right now the server I tested appears to work correctly, but I'm guessing, that site could use a load balancer and use multiple servers, and one of them might be configured incorrectly. Blame the company. And it's unfortunate that the site apparently has requested to not be tested by ssllabs.com, see https://www.ssllabs.com/ssltest/analyze.html?d=www.prepaid.citi.com (which says "The owner of this site requested that we do not test it". Certificate: Data: Serial Number:09:b7:49:fd:7f:0b:49:16:ca:05:56:56:cf:f6:d9:82 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US" Validity: Not Before: Tue Apr 09 00:00:00 2013 Not After : Sat Apr 08 23:59:59 2023 Subject: "CN=Symantec Class 3 Extended Validation SHA256 SSL CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US" Fingerprint (SHA-256): 1F:9B:31:F8:20:92:9E:BF:A0:31:17:EC:2B:77:BA:6B:0F:B6:EC:C9:E0:27:68:2A:55:93:78:DA:31:1C:54:EF Fingerprint (SHA1): CD:F4:28:A8:90:D3:74:8C:5D:28:ED:1F:4C:69:49:9A:3E:16:F1:33
Thanks. The IP address I get is 199.67.137.151, which is indeed sending only the leaf-node cert and nothing more. I had assumed that the issuer was a new SHA256 root. Please could you let me have the missing intermediate CA (or the IP address you got it from) so that I can chase this up with Citi? Thanks.
Right now I get the same IP and also see the missing chain.