Security Issue: certificate confusion while banking online

[barbara]

Hi,

I really do please - look at this issue:
1. open https://www.ingbank.pl/,
2. then "Zaloguj" button in the right upper corner,
3. then "Moje ING" button in an opened dropdown list.
4. Next page is logging-in page to banking (!) so it must be absolutely secure - but what we can see - blue lock and when we click on it - that we are connected to bank which is run by unknown (!!!).

It takes a lot of time to open the page with green lock - it is possible, but by default Palemoon opens it with the blue lock (!!!). In a standard Firefox certificates are OK - lock is green and is run by {bank} everytime (I cannot manage to do that with blue lock way).

Unfortunately, once I've logged in with this awful blue lock and did a transfer. It went to proper person and was booked, but it drives me crazy - if I have to change bank account password or it was secure connection but only Palemoon has got blue/green lock problem - summary: if it is GUI bug or something like that OR it is REALLY SECURITY PROBLEM?

Please, help! And do something with it. I think that is not only my bank problem - of course most of banks work properly, but some could not be so good (as mine).

Thank in advance!
B.

[Moonchild]

It should be a green (EV) certificate for the ING bank, not blue. I verified this locally and everything is OK, so that would indicate a security problem on your side.

What does the blue lock indicate? What are the certificate details?

[barbara]

How it looks in my browser (.png attachments). If something more is needed - please write.
Thanks for answer and helping!

[barbara]

Also:
my browser Version: Palemoon 27.3.0 (32-bit)
add-on: No Script 2.9.0.14
Win 7 32-bit

[dark_moon]

Did you use any security tools? Because it looks your SSL/ TLS security is corrupted

This is the right cert for that site:

[barbara]

@dark_moon - thanks for your answer. Certification details from your screen come from the moin page - not logging-in one. This bank has got other cefrification provider for its home page (Unizeto) and other for logginig-in (Entrust). Is it possible if you could check out how things look like when you go to the logging-in page? (Bank homepage -> Zaloguj in right upper corner -> Moje ING -> now the logging-in page will be displayed).

Also - you mentioned SSL/ TLS security corruption. Could the AV program (I use AVAST v.17.4.2294) mess around with this? Or the NoScript add-on? NoScript claims that there is no scripts on logging in page.

[ron_1]

Turn off https filtering in Avast.

[barbara]

Turn off https filtering in Avast.

Is it safe?

[ron_1]

Yes, using it actually decreases your security no matter what AVs say. Here's Moonchild's thoughts on https filtering:

https://forum.palemoon.org/viewtopic.php?f=24&t=14122

[barbara]

@helloimustbegoing - thanks for link to this interesting article - it is really exhausting what big corporations do to the decent small users ... Nevertheless - disabling HTTPS filtering in my AVAST has not worked - still my bank has got blue lock. I'm using COMODO firewall also - could it has got HTTPS filtering too?

[ron_1]

I don't know, I have never used Comodo's firewall. It's possible I suppose. Dig around in it, I'm sure it'll be easy to find if it does have it.

[barbara]

And I've got the most important question - has my connection via blue lock been unsecured and I must change pass to my account or it is rather this HTTPS filtering issue and changing anything is not a must? I really don't know what to do? Changing pass is connected with filling a form with also fragile and really personal data and I do not want to do that unnecessarily.

[Moonchild]

Disabling https filtering in Avast will also require you to completely exit and restart the browser at least, and maybe restarting the computer to properly clear any latent incorrect connections. If it was enabled then that would explain the blue instead of green state.

[barbara]

Unfortunately, after disabling HTTPS filtering in AVAST I've of course restarted Palemoon, then restarted it with NoScript disabled, then restarted my computer, restarted computer once again with "Do not trust secured pages" (or something like that) in AVAST, and restarted computer I think twice again - still this terrible blue lock is present. Comodo seems to not have any HTTPS filtering option.
But how about changing a password? Was this connection really unsecured or only Palemoon had a problem with recognizing it properly?

[barbara]

I've reinstalled Palemoon completely - without my old profile, everything is fresh. Still the same - blue lock on my bank logging-in page. But for example - this very forum also has got blue lock, but the certification details look like more reliable than on my bank page. Dazed and confused

[dark_moon]

Avast replace all certs with a own from Avast, so in theory all encrypted data are go first to Avast.

Clear your DNS cache. Maybe that help.
Open a commandline and make ipconfig /flushdns
Close Pale Moon first and maybe clear the cache in Pale Moon too.

[barbara]

Sorry for really silly question, but "clear the cache in Pale Moon too" means to clear all history, cookies etc.?
I've flushed DNS already - not worked out - still blue lock.

[barbara]

However, there is a progress! Now my certification details look like a real certificate (.png attachment) - before Palemoon re-installation there was only login.ingbank.pl with no tree. NOW there is a tree from Entrust root. So I definitely must do something with my account pass. What a pity
Also - I've notice that to make a lock green - I must first open Entrust Inc home page (they also have Entrust certification obviously) - this has a proper green lock. Then go to my bank homepage (the same or other tab) -> Zaloguj -> Moje ING -> and we have nice shiny green lock! Strange but real.

[dark_moon]

I mean cache unter settings -> extented -> network

Can you test another PC, smartphone, else?

[barbara]

Now I'm on Linux (Mint Serena 18.1) booted from USB - Firefox 50.1.0. And - lock is green, but cert. details haven't got tree - only "login.ingbank.pl" ...