Why isn't this cert recognized by Mozilla as an EV cert?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Why isn't this cert recognized by Mozilla as an EV cert?

John Nagle
Check out

https://easyabc.95599.cn/commbank/netBank/zh_CN/CommLogin.aspx

which is the Agricultural Bank of China.  They have
an EV cert signed by Mozilla, but Mozilla isn't displaying the
correct info.

                                John Nagle
                                SiteTruth
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Why isn't this cert recognized by Mozilla as an EV cert?

Wan-Teh Chang-3
On Thu, Apr 19, 2012 at 12:39 PM, John Nagle <[hidden email]> wrote:
> Check out
>
> https://easyabc.95599.cn/commbank/netBank/zh_CN/CommLogin.aspx
>
> which is the Agricultural Bank of China.  They have
> an EV cert signed by Mozilla, but Mozilla isn't displaying the
> correct info.

In my testing I saw Mozilla display the EV status for a brief
moment and then lose it, while the "page loading" icon kept
spinning.

So I suspect that the bug is that for some reason Mozilla
cannot finish loading that page.

Wan-Teh
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Why isn't this cert recognized by Mozilla as an EV cert?

beltzner
On Thu, Apr 19, 2012 at 4:13 PM, Wan-Teh Chang <[hidden email]> wrote:
> So I suspect that the bug is that for some reason Mozilla
> cannot finish loading that page.

Couldn't that also be the result if there was mixed-content?

cheers,
mike
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Why isn't this cert recognized by Mozilla as an EV cert?

Eddy Nigg (StartCom Ltd.)
In reply to this post by Wan-Teh Chang-3
On 04/19/2012 11:15 PM, From beltzner:
> On Thu, Apr 19, 2012 at 4:13 PM, Wan-Teh Chang<[hidden email]>  wrote:
>> So I suspect that the bug is that for some reason Mozilla
>> cannot finish loading that page.
> Couldn't that also be the result if there was mixed-content?

Sorry, I replied to the policy list before seeing this message. Indeed
this site has unsecured content at this page, the connection is
considered insecure in this case.


--
Regards

Signer:  Eddy Nigg, StartCom Ltd.
XMPP:    [hidden email]
Blog:   http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Why isn't this cert recognized by Mozilla as an EV cert?

ianG-2
In reply to this post by Wan-Teh Chang-3
On 20/04/12 06:13 AM, Wan-Teh Chang wrote:

> On Thu, Apr 19, 2012 at 12:39 PM, John Nagle<[hidden email]>  wrote:
>> Check out
>>
>> https://easyabc.95599.cn/commbank/netBank/zh_CN/CommLogin.aspx
>>
>> which is the Agricultural Bank of China.  They have
>> an EV cert signed by Mozilla, but Mozilla isn't displaying the
>> correct info.
>
> In my testing I saw Mozilla display the EV status for a brief
> moment and then lose it, while the "page loading" icon kept
> spinning.


Yes I saw that too.  Rather disturbing!  CA needs to get some guidance
out to its subscribers?

Also, the URL is disturbing, and looks like a phish.  Numbers aren't
familiar in the western world, are they ok in China?  Also commbank and
netbank are both brandings of the Commonwealth Bank of Australia
(biggest bank there) so that isn't comfortable.

http://commbank.com.au/

> So I suspect that the bug is that for some reason Mozilla
> cannot finish loading that page.


Mixed content, apparently.  OK.

iang
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Why isn't this cert recognized by Mozilla as an EV cert?

alex.mayorga
In reply to this post by Wan-Teh Chang-3
On Thursday, April 19, 2012 9:21:14 PM UTC-5, ianG wrote:

> On 20/04/12 06:13 AM, Wan-Teh Chang wrote:
> > On Thu, Apr 19, 2012 at 12:39 PM, John Nagle<nagle@[redacted].com>  wrote:
> >> Check out
> >>
> >> https://easyabc.95599.cn/commbank/netBank/zh_CN/CommLogin.aspx
> >>
> >> which is the Agricultural Bank of China.  They have
> >> an EV cert signed by Mozilla, but Mozilla isn't displaying the
> >> correct info.
> >
> > In my testing I saw Mozilla display the EV status for a brief
> > moment and then lose it, while the "page loading" icon kept
> > spinning.
>
>
> Yes I saw that too.  Rather disturbing!  CA needs to get some guidance
> out to its subscribers?
>
> Also, the URL is disturbing, and looks like a phish.  Numbers aren't
> familiar in the western world, are they ok in China?  Also commbank and
> netbank are both brandings of the Commonwealth Bank of Australia
> (biggest bank there) so that isn't comfortable.
>
> http://commbank.com.au/
>
> > So I suspect that the bug is that for some reason Mozilla
> > cannot finish loading that page.
>
>
> Mixed content, apparently.  OK.
>
> iang

PhishTank has already flagged it as phishing[1] so I've reported it too using Help > Report Web forgery...

One odd thing is that on Nightly that URL never finish loading (i.e. the green spinner spins forever). Is that a Nightly bug?

Alex

[1] http://www.phishtank.com/phish_detail.php?phish_id=1359252
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Why isn't this cert recognized by Mozilla as an EV cert?

John Nagle
In reply to this post by Wan-Teh Chang-3
On 4/26/2012 1:07 PM, [hidden email] wrote:

> On Thursday, April 19, 2012 9:21:14 PM UTC-5, ianG wrote:
>> On 20/04/12 06:13 AM, Wan-Teh Chang wrote:
>>> On Thu, Apr 19, 2012 at 12:39 PM, John Nagle<nagle@[redacted].com>   wrote:
>>>> Check out
>>>>
>>>> https://easyabc.95599.cn/commbank/netBank/zh_CN/CommLogin.asp
>>>>
>>>> which is the Agricultural Bank of China.  They have
>>>> an EV cert signed by Mozilla, but Mozilla isn't displaying the
>>>> correct info.
>>>
>>> In my testing I saw Mozilla display the EV status for a brief
>>> moment and then lose it, while the "page loading" icon kept
>>> spinning.
>>
>>
>> Yes I saw that too.  Rather disturbing!  CA needs to get some guidance
>> out to its subscribers?
>>
>> Also, the URL is disturbing, and looks like a phish.  Numbers aren't
>> familiar in the western world, are they ok in China?  Also commbank and
>> netbank are both brandings of the Commonwealth Bank of Australia
>> (biggest bank there) so that isn't comfortable.
>>
>> http://commbank.com.au/
>>
>>> So I suspect that the bug is that for some reason Mozilla
>>> cannot finish loading that page.

>> Mixed content, apparently.  OK.
>>
>> iang
>
> PhishTank has already flagged it as phishing[1] so I've reported it too using Help>  Report Web forgery...
> One odd thing is that on Nightly that URL never finish loading (i.e. the green spinner spins forever). Is that a Nightly bug?
> Alex
> [1] http://www.phishtank.com/phish_detail.php?phish_id=1359252

    It's not a phish.  "95599.cn" is the Agricultural Bank of China.
95599 is their phone number, and a part of their branding.
Major banks in China have 955xx phone numbers.

    They were going through a major systems change, and for two
days, their online banking system had a scheduled outage.  That
may be why some of the strange behavior was happening.

See:
http://translate.googleusercontent.com/translate_c?act=url&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://easyabc.95599.cn/cn/EBanking/Bulletin/201204/t20120416_222818.htm&usg=ALkJrhhXAqKLW9UMAozQE18Mkm-Uo9KEUA

                                John Nagle

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security