For Extra Security, Try Certificate Errors!

Recently one of the organizations I do work for (at least until I can get my own business off the ground) had to go through a PCI compliance check. New rules require that all organizations who handle credit cards pass these tests, not just ones that handle a certain amount of monetary transactions.

The service we use to handle credit card transactions and customer payment information contracts with a company called Security Metrics to do security scans of their customers for PCI compliance. The head of finance at the small organization I help was the primary contact with Security Metrics.

Begin Ninja edit:

That brings up another story all together about how I wasn’t told about any of this until I got a call asking “What’s our external IP?” — A question that does not portend a good ending to the day. I found out rather abruptly that PCI compliance is now required for all organizations that handle credit cards, not just those with a certain volume of transactions. I found this out after the website had a preliminary scan and just minutes before the office’s IP was submitted for scanning. O frabjous day! Callooh! Callay!

Where’s my vorpal blade? I feel like snicker-snacking someone.

End Ninja Edit.

For PCI compliance to be achieved, we need some simple security scans of our office’s external IP address as well as our website. No problem… but I still wanted to know a bit more about what was expected of us to pass muster. I went to the website and was greeted with this magnificent spectacle of failure (click for larger image):

A company that makes its living off of security, specifically PCI compliance, throws a certificate error when going to their site. The solution? Make sure to precede the domain with ‘www‘. is the name registered on the SSL certificate, but by itself was not. I made mention of it to the head of finance who said that he had to call his Security Metrics contact anyway and would mention it. The second-hand information that I received from the Security Metrics rep was that it was by design. Somehow it made the site more secure. There was some hand-waving about not letting people just put different names in to see what comes back. This way you have to specifically go to their site with full knowledge of where you’re going otherwise it will throw security errors as a sort of deterrent or block”

I will pause to let you digest that information.

No mention of this security feature is made on the Security Metrics site (at least not that I can find). I figured that it might  be listed on a  FAQ somewhere since apparently the Security Metrics rep was familiar with having to hand that answer out. I can’t even find a blip about this on the web at large. I thought maybe someone had seen this and either lauded or lambasted it. So far, it seems like I’m the only one so far to vocalize my bemusement.

I sent out some tweets to see if anyone could come up with a reason why this would be considered more secure. Two persons mentioned that using wildcard certs are a bad habit and insecure. Michael “@voretaq7” Graziano made the observation that “Technically it is: Wildcard or host-alias certs increase the scope of a secret key breach. Individual certs are always better.” Sean “@nullstream” cody gave me this article as a reference. Okay, we’re on to something now.  This is the first and only coherent reason I’ve heard so far. However, the reasons stopped there.

No mention of anything about “stopping people from searching to see what comes back” or “requiring people to deliberately go to the main website” was made. Granted, I’m going off of second-hand information that I was being given from the finance manager who asked the Security Metrics rep, but I’m not sure that a two node game of telephone can mutate “It’s a more secure certificate so people can’t crack it” into something like “It doesn’t let people search for other areas of our site.”

Furthermore, all http requests to the site are redirected to a https connection. Why not mod_rewrite all requests to Why not mod_rewrite all subdomain requests to the ‘www’? Something smells fishy. I see a lot of hand-waving and pointy hair. Most people seemed to believe, as do I , that someone made a mistake or was low on funds and only created a cert to correspond with the www name.

However, I am not a security expert by any means. Almost all of what I know about SSL certificates are through dealing with Microsoft Exchange’s RPC over HTTPS and OWA. I’m always open to be taught a lesson. Either this is a highly specialized way of achieving extra security or it’s a rather amusing failure and subsequent excuse on someone’s part. At the very least I think a rewrite rule is in order. What say you?


  1. Jon Angliss

    June 21, 2010 at 1:00 pm

    I still don’t see the link between the www being required as more secure. I’d say the person was more of a sales drone, and not technically sure of what he was saying.

    The article on wildcard certificates, whilst interesting, doesn’t apply. A certificate for the domain name only is not a wildcard. Wildcard certificates actually have *. at the beginning. So, a certificate for yourdomain . com and www . yourdomain . com will still have a CN= part that is explicit for that name, and will trigger a browser error if you don’t type in the right host name to match. It is /still/ a certificate, with a set level of security encryption applied, and usually comes with some guarantee.

    Maybe it’s a best practice sort of thing? If so, then they should document it if they expect you to follow it. Maybe they view the idea of a compromised domain level certificate the same way you’d view a compromised wildcard certificate, though it’s not at all. I don’t see how it is, because a compromised domain level cert is the same as a compromised subdomain level cert, only a single cert, whilst a compromised wildcard is compromised everywhere it’s used.

    I’m not a security expert, so maybe there is something hidden that they keep away from us mere system administrators, and only for the hands of security ninjas. I’d be inclined to push for more information, if I were able to directly talk to somebody that had a clue.


    • Wesley.Nonapeptide

      June 21, 2010 at 1:53 pm

      Yeah, my Marketing Droid Radar lit up like a Christmas tree when I heard those reasons.

      I couldn’t find any mention of that behavior on their site. The sales guy was apparently very familiar with getting that question, but why it wasn’t mentioned on the site explicitly is beyond me.

      Furthermore, I still think a simple mod_rewrite rule is in order. They did it to redirect http traffic to https.

      All in all I’m not impressed and think it’s lame. However, they’re the contracted PCI peeps that our credit card handles has us use, so whatever. Looks like they’re getting our money anyway.


  2. Nick Danger

    June 24, 2010 at 12:23 pm

    I agree with you, that is really stupid. If they didn’t want to use a wildcard cert, either have the not fqdn name rewrite to “www.xxxxxx” or just don’t answer unless fqdn is supplied. I have seen this mistake on certificates as well with other “Security” firms.


    • Wesley.Nonapeptide

      June 24, 2010 at 12:31 pm

      Thanks for the feedback Nick! I’m hoping that someone somewhere might have something positive to say about this, but it’s not looking good for SecurityMetrics.


Leave a Reply

Your email address will not be published. Required fields are marked *

Follow TheNubbyAdmin!

follow us in feedly

Raw RSS Feed:

Contact Me!

Want to hire me as a consultant? Have a job you think I might be interested in? Drop me a line:

Contact Me!

Subscribe via Email

Your email address is handled by Google FeedBurner and never spammed!

The Nubby Archives

Circle Me on Google+!

Photos from Flickr

Me on StackExchange

The IT Crowd Strava Group