Recently one of the organizations I do work for (at least until I can get my own business off the ground) had to go through a PCI compliance check. New rules require that all organizations who handle credit cards pass these tests, not just ones that handle a certain amount of monetary transactions.
The service we use to handle credit card transactions and customer payment information contracts with a company called Security Metrics to do security scans of their customers for PCI compliance. The head of finance at the small organization I help was the primary contact with Security Metrics.
Begin Ninja edit:
That brings up another story all together about how I wasn’t told about any of this until I got a call asking “What’s our external IP?” — A question that does not portend a good ending to the day. I found out rather abruptly that PCI compliance is now required for all organizations that handle credit cards, not just those with a certain volume of transactions. I found this out after the website had a preliminary scan and just minutes before the office’s IP was submitted for scanning. O frabjous day! Callooh! Callay!
Where’s my vorpal blade? I feel like snicker-snacking someone.
End Ninja Edit.
For PCI compliance to be achieved, we need some simple security scans of our office’s external IP address as well as our website. No problem… but I still wanted to know a bit more about what was expected of us to pass muster. I went to the SecurityMetrics.com website and was greeted with this magnificent spectacle of failure (click for larger image):
A company that makes its living off of security, specifically PCI compliance, throws a certificate error when going to their site. The solution? Make sure to precede the domain with ‘www‘. www.SecurityMetrics.com is the name registered on the SSL certificate, but SecurityMetrics.com by itself was not. I made mention of it to the head of finance who said that he had to call his Security Metrics contact anyway and would mention it. The second-hand information that I received from the Security Metrics rep was that it was by design. Somehow it made the site more secure. There was some hand-waving about not letting people just put different names in to see what comes back. This way you have to specifically go to their site with full knowledge of where you’re going otherwise it will throw security errors as a sort of deterrent or block”
I will pause to let you digest that information.
No mention of this security feature is made on the Security Metrics site (at least not that I can find). I figured that it might be listed on a FAQ somewhere since apparently the Security Metrics rep was familiar with having to hand that answer out. I can’t even find a blip about this on the web at large. I thought maybe someone had seen this and either lauded or lambasted it. So far, it seems like I’m the only one so far to vocalize my bemusement.
I sent out some tweets to see if anyone could come up with a reason why this would be considered more secure. Two persons mentioned that using wildcard certs are a bad habit and insecure. Michael “@voretaq7” Graziano made the observation that “Technically it is: Wildcard or host-alias certs increase the scope of a secret key breach. Individual certs are always better.” Sean “@nullstream” cody gave me this eWeek.com article as a reference. Okay, we’re on to something now. This is the first and only coherent reason I’ve heard so far. However, the reasons stopped there.
No mention of anything about “stopping people from searching to see what comes back” or “requiring people to deliberately go to the main website” was made. Granted, I’m going off of second-hand information that I was being given from the finance manager who asked the Security Metrics rep, but I’m not sure that a two node game of telephone can mutate “It’s a more secure certificate so people can’t crack it” into something like “It doesn’t let people search for other areas of our site.”
Furthermore, all http requests to the site are redirected to a https connection. Why not mod_rewrite all SecurityMetrics.com requests to www.SecurityMetrics.com? Why not mod_rewrite all subdomain requests to the ‘www’? Something smells fishy. I see a lot of hand-waving and pointy hair. Most people seemed to believe, as do I , that someone made a mistake or was low on funds and only created a cert to correspond with the www name.
However, I am not a security expert by any means. Almost all of what I know about SSL certificates are through dealing with Microsoft Exchange’s RPC over HTTPS and OWA. I’m always open to be taught a lesson. Either this is a highly specialized way of achieving extra security or it’s a rather amusing failure and subsequent excuse on someone’s part. At the very least I think a rewrite rule is in order. What say you?