Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Security warning on an e-banking site

0 views
Skip to first unread message

sebas22

unread,
Nov 11, 2009, 4:57:24 AM11/11/09
to
Hi

https://www.axabanque.fr/client/ gives me a warning that it's not secure,
but in FF it's all right (it's an important french bank, so I'm really in
doubt that their certificate is not updated correctly). In the past, it
was working ok with Opera, without any warning, I don't know if thay
changed something in their side or if it's Opera 10 that handles it
differently.

Version 10.10 Beta
Révision 4694
Plate-forme Linux
Système i686, 2.6.25-9.slh.1-sidux-686
Bibliothèque Qt 4.5.2
Java Librairie Java Runtime installée

Identification du navigateur
Opera/9.80 (X11; Linux i686; U; fr) Presto/2.2.15 Version/10.10

Regards

sebas22

unread,
Nov 11, 2009, 5:45:11 AM11/11/09
to
I've put screenshots on :
www.alvidente.com/private/opera/

But it can be experimented by anyone, no username is nacessary at that
stage.

David W. Hodgins

unread,
Nov 11, 2009, 5:29:39 AM11/11/09
to
On Wed, 11 Nov 2009 04:57:24 -0500, sebas22 <sebas_2_dele...@yahoo.invalid.com> wrote:

> https://www.axabanque.fr/client/ gives me a warning that it's not secure,

> Version 10.10 Beta
> Révision 4694
> Plate-forme Linux

Same version here, and it shows as secure.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

David W. Hodgins

unread,
Nov 11, 2009, 6:05:26 AM11/11/09
to
On Wed, 11 Nov 2009 05:45:11 -0500, sebas22 <sebas_2_dele...@yahoo.invalid.com> wrote:

> I've put screenshots on :
> www.alvidente.com/private/opera/

After clicking on the security part of the address bar, the difference
between my system and that one, is that the Verisign class 3 certificate
is followed by a Verisign (without the class 3) on mine, that doesn't
appear on that one.

Try Help/Check for updates, to see if that will update the root certs.

sebas22

unread,
Nov 11, 2009, 1:29:30 PM11/11/09
to
Le Wed, 11 Nov 2009 06:05:26 -0500, David W. Hodgins a ecrit :

> After clicking on the security part of the address bar, the difference
> between my system and that one, is that the Verisign class 3 certificate
> is followed by a Verisign (without the class 3) on mine, that doesn't
> appear on that one.
>
> Try Help/Check for updates, to see if that will update the root certs.

Tx a lot, you've hit the point, a simple
#apt-get install ca-certificates
to update the root certificates have fixed the issue (I'm under GNU/linux
debian)

I wonder though why it wasn't generating warning with Firefox, maybe they
have their own certificates directory.

Best regards
Sebas

Yngve Nysaeter Pettersen (Developer, Opera Software A/S)

unread,
Nov 11, 2009, 3:36:12 PM11/11/09
to
On 11 Nov 2009 10:45:11 GMT, sebas22
<sebas_2_dele...@yahoo.invalid.com> wrote:

The server includes a resource from https://axabanque.fr/ instead of
https://www.axabanque.fr/ (note the missing "www."), but the certificate for
that server is the same as for https://www.axabanque.fr/ , but it does NOT
identify "axabanque.fr" as a valid name for servers having that certificate,
only "www.axabanque.fr".

That is a name mismatch, and a potential security problem, since it can be used
by an attacker to trick you into going to his site instead of the one you wanted
to visit.

As long as you accept the certificate the security level for the whole document,
and all documents that include elements from this server will be marked as
unsecure since Opera is not able to say that all is OK with those documents. If
you instead click "Refuse" for these dialogs the security level will remain that
of the main document, unless there are other problems with the site (like bad
revocation information).

This is something the bank must fix.


sebas22

unread,
Nov 12, 2009, 7:51:55 AM11/12/09
to
Le Wed, 11 Nov 2009 21:36:12 +0100, Yngve Nysaeter Pettersen (Developer,
Opera Software A/S) a ecrit :

> This is something the bank must fix.

Thank you for you feedback, Yngve, I'll forward your msg to the webmaster

Best regards,
Thousand tx for your fantastic work with Opera !
Sebas

sebas22

unread,
Nov 17, 2009, 3:11:04 PM11/17/09
to
Le Thu, 12 Nov 2009 12:51:55 +0000, sebas22 a ecrit :

> Le Wed, 11 Nov 2009 21:36:12 +0100, Yngve Nysaeter Pettersen (Developer,
> Opera Software A/S) a ecrit :
>
>> This is something the bank must fix.
>
> Thank you for you feedback, Yngve, I'll forward your msg to the
> webmaster

I've followed up the content of your post to the webmaster, saying they
should pay attention to it since the Opera-team is well known for their
concern about security. They fixed the problem all right. Below, the text
of they reply.

Tx again for your concern, Yngve :-)

<quote="AXA-bank webmaster">
--- translation from french ---

We aknowledge your message in relation with the security certificate of
our site AXA-Bank, and we gave it all the attention it deserved

We confirm that there really was a problem about our certificate during
the installation of our new site.

The fixes had been applied and the situation is now back to normal

We apologize for the troubles and stay at your disposal

Best Regards
Webmaster AXA Banque

--- original message, in french ---

Nous faisons suite à vos messages relatifs au certificat de sécurité du
site AXA Banque, qui ont retenu toute notre attention.

Nous vous confirmons qu’il y a bien eu un dysfonctionnement au niveau de
notre certificat de sécurité lors de la mise en route de notre nouveau
site.

Les correctifs ont été déployés et la situation est de nouveau revenue à
la normale :

Nous vous prions d’accepter nos excuses pour la gêne occasionnée et
restons à votre disposition.

Bien cordialement,
Webmaster AXA Banque
</quote>

0 new messages