Re: Why isn't this cert recognized by Mozilla as an EV cert?

Thu, 26 Apr 2012 22:50:57 -0700 

On 4/26/2012 1:07 PM, alex.mayo...@gmail.com wrote:

On Thursday, April 19, 2012 9:21:14 PM UTC-5, ianG wrote:

On 20/04/12 06:13 AM, Wan-Teh Chang wrote:

On Thu, Apr 19, 2012 at 12:39 PM, John Nagle<nagle@[redacted].com>   wrote:

Check out

https://easyabc.95599.cn/commbank/netBank/zh_CN/CommLogin.asp

which is the Agricultural Bank of China.  They have
an EV cert signed by Mozilla, but Mozilla isn't displaying the
correct info.


In my testing I saw Mozilla display the EV status for a brief
moment and then lose it, while the "page loading" icon kept
spinning.



Yes I saw that too.  Rather disturbing!  CA needs to get some guidance
out to its subscribers?

Also, the URL is disturbing, and looks like a phish.  Numbers aren't
familiar in the western world, are they ok in China?  Also commbank and
netbank are both brandings of the Commonwealth Bank of Australia
(biggest bank there) so that isn't comfortable.

http://commbank.com.au/


So I suspect that the bug is that for some reason Mozilla
cannot finish loading that page.



Mixed content, apparently.  OK.

iang


PhishTank has already flagged it as phishing[1] so I've reported it too using 
Help>  Report Web forgery...
One odd thing is that on Nightly that URL never finish loading (i.e. the green 
spinner spins forever). Is that a Nightly bug?
Alex
[1] http://www.phishtank.com/phish_detail.php?phish_id=1359252
It's not a phish. "95599.cn" is the Agricultural Bank of China. 95599 is their phone number, and a part of their branding. 
Major banks in China have 955xx phone numbers.

   They were going through a major systems change, and for two
days, their online banking system had a scheduled outage.  That
may be why some of the strange behavior was happening.

See:
http://translate.googleusercontent.com/translate_c?act=url&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://easyabc.95599.cn/cn/EBanking/Bulletin/201204/t20120416_222818.htm&usg=ALkJrhhXAqKLW9UMAozQE18Mkm-Uo9KEUA

                                John Nagle

_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

Reply via email to