back to article Scotiabank internet whizzkids screw up their HTTPS security certs

The team behind Scotiabank's Digital Banking Unit isn't impressing some customers, after forgetting to renew the security certificates for their own website. The DBU was set up last year to sell "world class digital solutions" to electronic banking customers around the world. But Jason Coulls, CTO of food safety testing …

  1. Alistair
    Windows

    ScotiaBank IT -> IBM GDF.

    Any questions?

  2. Anonymous Coward
    Pint

    Losing touch of reality?

    Is it me or do we see a rather unhealthy trend developing as of late? I get the impression that more and more companies are much too busy doing "important" stuff right up to a point where they lose track of some of the essential parts which seriously matter.

    ... that is; they matter for their customers. And who cares about those, right?

    1. Anonymous Coward
      Anonymous Coward

      'companies are too busy doing "important" stuff'

      Culling Headcount so master-of-the-universe CEO's get paid???

      1. Anonymous Coward
        Anonymous Coward

        Re: 'companies are too busy doing "important" stuff'

        Culling Headcount so master-of-the-universe CEO's get paid???

        Try:

        Going with the cheapest source of labor so to collect bonus for cutting costs.

  3. okand
    Meh

    Are people still trained to just click past certificate warnings?

    1. Evil Auditor

      Yep. Any warning, that is.

  4. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    I would point the finger at the web hosting company first.

    The certificate is not even assigned to scotiabank it is for the web hosting company ...

    X509v3 Subject Alternative Name: DNS:*.webflow.io, DNS:webflow.io

    so even before it had expired it would have been wrong.

    I'm not even convinced it is an HTTPS enabled website .. look at the content of the website and it just looks like a project/brand microsite ... I can't immediately see where HTTPS would be required (e.g. for logging in or entering details in to a form etc) ... so I would say this looks more like a web hosting reverse proxy configuration error, i.e. HTTPS should not be enabled for this domain, just HTTP.

    1. Alister

      Re: I would point the finger at the web hosting company first.

      I'm not even convinced it is an HTTPS enabled website

      I agree. I think the site is meant to be served by HTTP, and if you request it using HTTPS it's just returning the default SSL cert on the server.

      1. patrickstar

        Re: I would point the finger at the web hosting company first.

        Possibly the guy who complained is using HTTPS Everywhere or similar, so it defaults to try HTTPS first for everything.

  6. Barry Rueger

    Surprise? I think not.

    Scotiabank still does not allow customers to use upper case or special characters in passwords, arguing that it would confuse some customers.

    Rather than putting resources into security, Scotiabank has been prioritising the disposal of long time employees and the centralisation of all decisions at head office in Toronto.

    The days when you knew your branch manager, and they would bend the rules in an emergency, are long, long gone.

    But hey! Scotiabank is still the industry leader in exorbitant service charges!

  7. TFL

    Banks and security? Pah!

    Try convincing a bank to use two factor authentication. I pestered RBC, all I got back was that they'd cover losses incurred. Not impressed.

    1. Ian Michael Gumby

      Re: Banks and security? Pah!

      That's par for the course.

  8. Steve K Silver badge

    It is surprising that they have not noticed for so long - wouldn't you have some kind of heartbeat monitoring set up to check that the site is alive/accessible externally?

    (On a slightly pedantic note: 5-month anniversary? That's not even a thing..)

    1. Alister

      If, as surmised above, the site is designed to be served over HTTP, then why would you bother monitoring it over HTTPS, or bothering about an expired SSL cert on the server?

      A case can be made that the site shouldn't respond at all on 443, but if the server has other sites on HTTPS then it's easy to overlook.

  9. David Roberts
    WTF?

    F-bomb?

    Had to look it up.

    I assume that the code wasn't full of fat laden snacks.

    Presumably bad language in the comments?

    1. Anonymous Coward
      Anonymous Coward

      Re: F-bomb?

      You had to look up F-Bomb? You must be British.

  10. Anonymous Coward
    Anonymous Coward

    It can happen

    Sometimes this can slip through the cracks.

    We're totally NOT depending on our website for business, but its FreeSSL cert had developed a fault and the site had thus reverted back to the SSL cert of the provider (which, of course, gets you immediately rendered unreachable accompanied by much screeching in Firefox, Chrome et al). It was pure luck that I detected this before it became something press worthy (note to self: see if availability monitor can pick this up).

    If your site IS your business (or at least a large chunk of it) the site cert takes, of course, more prominence so renewal processes must be set up, but it can happen. All of this stuff is still done by humans, and we're not perfect (as my wife keeps reminding me :) )..

    1. Lysenko

      Re: It can happen

      "All of this stuff is still done by humans..."

      Why? Mine certainly aren't. Certificate renewal is part of the same automated workflow that handles backups, DNS verification, loopback TLS checks etc. In the event that screws up (e.g. the cert authority API changes without warning) then Supervisor would email me 20 days before the old cert expires. This is basic stuff. Even my throwaway Linode and EC2 dev servers do this. That a bank can't get this right on production equipment is frankly ridiculous incompetence offshore outsourcing.

      1. Synonymous Howard

        Re: It can happen

        I think this is a non story. The expired cert is not even for the given website ... I believe this is a 3rd party webhosting error. A default config on the frontend load balancer / SSL reverse proxy probably.

        The website just appears to be a marketing site rather than a banking service site and as such should not HTTPS to be configured.

        I'd love to say this is the bank's fault and is a result of outsourcing but I can't see any direct evidence of that.

        1. Yet Another Anonymous coward Silver badge

          Re: It can happen

          The website just appears to be a marketing site rather than a banking service site

          Isn't that worse? The bank regularly sends you emails and links and popups to dozens of non-secure bank affiliated advertising websites that you are supposed to know not to use for anything secure.

          Then you get an email from scotiabank.google.com with a link to a secure site which does ask for your password.

          It's like air traffic control playing "simon says" with their landing instructions

        2. rssfed23

          Re: It can happen

          Why do people keep implying that just because you’re not logging in or doing banking on a website then it implies it doesn’t need https to begin with?

          How can you be so wrong I don’t get it...

          There are many reasons for using tls aside from just encrypting credentials.

          As Troy Hunt has demonstrated on many occasions: there is absolutely no reason why every website should serve all content over https in 2017. It’s free after all (and said AMCE service keeps track of certificate expiary/renewals for you).

          Every site from a banks random marketing page through to the blog my sister set up for her kittens should have basic tls. There is no technical reason not to.

          1. Evil Auditor

            Re: It can happen

            I don't see why every dog's blog should provide TLS. But as soon as someone needs to rely on the provided information TLS becomes rather essential. And this surely includes a bank's marketing site.

  11. Destroy All Monsters Silver badge
    Facepalm

    "Issued by COMODO"

    I stopped reading or caring at that point.

    Because it means the IT guys even be bothered to read contractual fine print.

  12. Jonbays

    Web hosters certificate management hint no.1 throw away the cert management spreadsheet.

  13. Anonymous Coward
    Anonymous Coward

    Sorry - in looking at the content of the site, I'm struggling to understand what's the risk? seems very petty.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022