Internet
Bank of America SSL Certificate Expired?!
Written by Tyler Shears on February 26, 2009 7:19 pm EST
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Normally I wouldn’t even notice this, but I’ve been spending a lot of time on making sure the SSL certs on my sites are good. I just visited http://bankofamerica.com and was trying to log into my account, and was presented with an critical error.
The certificate date appears to be valid, but the non www. version of the URL results in an error. If you put the www. in front, the site works fine. If you check the Certificate Status you see a Expiration date of 12/09 so it seems to still be active, but the URL in the certificate is in fact the www.bankofamerica.com URL. It seems secure based on the actual certificate validation, but to your average user this would cause a great deal of confusion. I wonder how many people type in the domain without the www. in front every day?
This kind of thing can happen from time to time, but usually on a impactful site. I’m surprised VeriSign doesn’t already have a system in place to take care of this, considering the level of security required for Bank of America and other clients they have.
If you want to learn more about the security these sites use to manage your information check out Transport Layer Security on wiki.A 301 redirect of all the non-www. versions of the bankofamerica.com URLs into the www. version.
(example http://bankofamerica.com would automatically reroute you to http://www.bankofamerica.com) would fix the issue. Learn more about canonicalization issues. Side effects of a bad 301 redirect. (based on personal experience.)
I’m sending an email to BoA to let them know (probably just a link to this story) so if you have any thoughts feel free to leave a comment.
Trackback URL for this post: http://www.gimmiethescoop.com/bank-of-america-ssl-certificate-expired/trackback
7 Responses to “Bank of America SSL Certificate Expired?!”
Leave a Reply
 Stumble it! |  Save This Page |
 | |
| |
Categories
Favorite Articles
Recent Comments
- modernjerseys commented on Data Centers, Power Consumption, and Global Warming - Will the web crash?
- Tiffany Eller commented on The 10 Things that Independent Artists and Musicians Should Know
- Mont Blanc Pens For Sale commented on Data Centers, Power Consumption, and Global Warming - Will the web crash?
- Cyber Glasses Development commented on Bank of America SSL Certificate Expired?!
February 27th, 2009 at 12:29 am
Its not just true. The prob. is withing you firefox, click on the bottom link shown in first image, it will open a new wizard, click on get certificate and than confirm it, every thing will be fine.
BTW, their SSL will expire on 12th April 2009, they have strong security of verisign.
February 27th, 2009 at 1:00 pm
Dude calling yourself “Verisign SSL”. You are wrong. What you just suggested negates ability of a digital certificate to be assigned to a host host name. Simply accepting the certificate is stupid. And it is not a problem with Firefox. IE would give a slightly different error.
The fix is to redirect uses to the proper hostname via 301.
February 27th, 2009 at 2:50 pm
Looks to me like the certificate is only valid from 12/2 thru 12/3. That’s odd. Looks like they fixed the canonicalization issue.
February 27th, 2009 at 9:56 pm
Ahh… that old gag. Wish I could say it never happened to me. The error is still there for me this evening, but it should be an easy fix for their SAs.
April 3rd, 2009 at 8:18 am
I’m only hesitant because that huge virus was released yesterday!
November 19th, 2009 at 7:44 am
This happens repeatedly. They have an expired cert on the logout redirect from olineeast.bankofamerica.com right now.
It expired all the way back on April 19th, 2009. They even list the OU as “JBoss Engineering”.
It’s been happening for over a month now, and Bank of America “technical support” is about as sharp as a tree stump. They are clueless about SSL. May as well be talking to your cat.
Does CheckFree still handle their bill pay for them under the BOA label? I know that was the case for a long time. Could be that the third party server has a stale URL redirect on its logout icon that points to an obsolete server at BOA.
April 8th, 2013 at 12:29 am
This was resolved pretty soon after you put this post up. Perhaps not related to your breaking news post, but something the IT guys must have realised and resolved. I’m trying to resolve a similar problem that has developed on my site too!