Written by Tyler Shears on February 26, 2009 7:19 pm EST
Normally I wouldn’t even notice this, but I’ve been spending a lot of time on making sure the SSL certs on my sites are good. I just visited http://bankofamerica.com and was trying to log into my account, and was presented with an critical error.
The certificate date appears to be valid, but the non www. version of the URL results in an error. If you put the www. in front, the site works fine. If you check the Certificate Status you see a Expiration date of 12/09 so it seems to still be active, but the URL in the certificate is in fact the www.bankofamerica.com URL. It seems secure based on the actual certificate validation, but to your average user this would cause a great deal of confusion. I wonder how many people type in the domain without the www. in front every day?
This kind of thing can happen from time to time, but usually on a impactful site. I’m surprised VeriSign doesn’t already have a system in place to take care of this, considering the level of security required for Bank of America and other clients they have.If you want to learn more about the security these sites use to manage your information check out Transport Layer Security on wiki.
A 301 redirect of all the non-www. versions of the bankofamerica.com URLs into the www. version.
(example http://bankofamerica.com would automatically reroute you to http://www.bankofamerica.com) would fix the issue. Learn more about canonicalization issues. Side effects of a bad 301 redirect. (based on personal experience.)
I’m sending an email to BoA to let them know (probably just a link to this story) so if you have any thoughts feel free to leave a comment.
Trackback URL for this post: http://www.gimmiethescoop.com/bank-of-america-ssl-certificate-expired/trackback