My father applied for a new credit card the other day. MumbleBank sent him an email notifying him about some security arrangements for the new account — the details aren’t important. This mail contained HTML content, and a link to MumbleBank’s website where he had to configure something. This is where the fun begins.
The link’s text said mumblebank.com/creditcard. The link target was http://mumblebankcreditcard/foo/. Obviously these aren’t the same. He knows enough to hover the mouse over the link and to get nervous when the link text doesn’t match the target URI.
The eagle-eyed out there will have spotted that the link points to ‘http://…’. The HTTP server at mumblebankcreditcard.com sends bank a redirect to ‘https://…’. By this point it’s too late: the bad guy intercepts the unprotected HTTP request and sends back a redirect to his own site.
In fact, the server at mumblebankcreditcard.com has a certificate with the common name www.mumblebankcreditcard.com. Firefox smells a rat and pops up its scary verification-failure page. In the DNS, both these names map to the same IP address.
The redirector is broken. It redirects http://mumblebankcreditcard.com/any/old/thing to https://mumblebankcreditcard.com/any/old/thing, and similarly for www.mumblebankcreditcard.com. This is obviously insane, because the certificate only matches the latter name. The HTTP redirect server should fix the hostname properly. (In fact what happens is that https://mumblebankcreditcard.com/foo/ redirects to https://www.mumblebankcreditcard.com/bar/foo/ — or at least it would do if it could persuade anyone to accept its certificate.)
This really shouldn’t be difficult stuff. Only a complete imbecile would get this wrong. MumbleBank is a major player; they do know better.
And we’re not even in Soviet Russia.
Of course, the whole business with X.509 certificates and CAs, and even DNS, is completely broken anyway. Roll on YURLs, pet names, SPKI, and a distributed hashtable mapping public keys directly to IP addresses.
Apologies to MumbleBank, if they do in fact exist, for taking their name in vain.
Leave a comment