[BBLISA] solution to web sites with incomplete SSL cert chains

John Miller johnmill at brandeis.edu
Fri Sep 18 11:57:46 EDT 2015


That's pretty shady on Target's part.  I'd let their support team know, ASAP.

Taking a quick look, the issuer here is:
CN = Verizon Public SureServer EV SSL CA G14-SHA2
OU = Cybertrust
O = Verizon Enterprise Solutions
L = Amsterdam
C = NL

You'd have to go out to Verizon's site, grab the intermediate cert and
check for yourself if it's valid.  Not exactly how it should be.
Given Target's historic IT foibles (can we say "credit cards,"
anyone?), I'm not so inclined to trust their website!

The problem isn't at the browser level: if site admins don't provide
an intermediate cert, _it's_ _on_ _them_.  The whole point of
intermediate certificates is that it's _not_ trusted by browsers.
That way if an intermediate cert gets compromised, server admins can
go get the new one and install it--no reason for every end user on the
planet to have to replace it in their browser.

John

On Fri, Sep 18, 2015 at 11:33 AM, Bill Bogstad <bogstad at pobox.com> wrote:
> At the most recent BBLISA meeting, there a brief discussion of
> SSL/certs.  Unfortunately, I never asked about an issue that I had
> recently with Firefox and certs.   It seems that
> Firefox is not happy with this site:
>
> https://help.target.com/
>
> when I check it with one of the on-line SSL checking sites, it seems
> that Target isn't providing a complete chain back to a root CA.   Any
> idea how one goes about getting a web site to fix problems like this?
>  I tried reporting it using a different browser and I got the typical
> "reboot your computer, reinstall, etc. etc." response.
>
> Bill Bogstad
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa



-- 
John Miller
Systems Engineer
Brandeis University
johnmill at brandeis.edu
(781) 736-4619



More information about the bblisa mailing list