Thursday, May 26, 2016

Anomaly with City of Toronto site security...

I ran across an anomaly on the City of Toronto website today....

They go to pains to point out that you're on a secure site in a weird "in-ya-face" way.  This is normally a red flag for me. People make a point of pointing out something when they believe your mind needs to be changed.  For instance, I'm told my burgers are 100% beef because someone in marketing thinks we have ideas that maybe it's not.  I'm told the latest cars are much more fuel efficient, because someone thinks I might have other opinions on this.  Now I'm being told in big message boxes that something is secure.  Mental red flag.

OK, let's suspend disbelief for a second and imagine that it actually is secure - where is the browser padlock?  

(Click for bigger version)



I clicked the "Close" button and then got to the next screen, where again it points out that you are in a secure site on the first line.  Again, there's still no browser padlock.  I also noted the usual bank-trade trick of proclaiming things are secure and placing the onus on the user to make sure they've done their bit for security.... even though the padlock is still missing.

(Click for larger version)
 

So, I took a quick look at the certificate. The first thing you notice other than the City of Toronto is apparently in Macau, is the verification error that this is a self-signed certificate - so this is no more valid that if I generated one here on my computer and delivered it on a USB stick to City Hall. I've highlighted both items in red.


Jasons-2013-MacBook-Pro:~ jasoncoulls$ echo ^d | openssl s_client -connect secure.toronto.ca:443
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=CA/ST=Ontario/L=Toronto/O=City of Toronto/OU=Technology Infrastructure Services - macau-w1/CN=secure.toronto.ca
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFRzCCBC+gAwIBAgIPb+ZsRia0KHZ5+v4/DWkpMA0GCSqGSIb3DQEBBQUAMIG1
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsT
FlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRlcm1zIG9mIHVzZSBh
dCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTEwMS8wLQYDVQQDEyZW
ZXJpU2lnbiBDbGFzcyAzIFNlY3VyZSBTZXJ2ZXIgQ0EgLSBHMzAeFw0xNTEwMDYw
MDAwMDBaFw0xNjEwMDUyMzU5NTlaMIGfMQswCQYDVQQGEwJDQTEQMA4GA1UECBMH
T250YXJpbzEQMA4GA1UEBxQHVG9yb250bzEYMBYGA1UEChQPQ2l0eSBvZiBUb3Jv
bnRvMTYwNAYDVQQLFC1UZWNobm9sb2d5IEluZnJhc3RydWN0dXJlIFNlcnZpY2Vz
IC0gbWFjYXUtdzExGjAYBgNVBAMUEXNlY3VyZS50b3JvbnRvLmNhMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnFUWzMyfTL6zFKFj69W8KdwwKlpogf1Z
3wJrZpH23x+oPVz9pA5Ti2NxG4PvqI6Y/ybcrLArIXa4+xD8e9zYDSIw8Umk4fSb
2OrmQTSAVlMtEGabAJZO1ksM1+kfmw2tXfV7n1a07gGSY9lpwWmqr5HGCvV6aCyO
xyojCOvOs9SI4m5UbRvW/Je5qaX4gfNzx2xQ9de/nC4s7dCVolFYm1ZI+OiwQiZ4
i0tnMGk1Zela70thnCmIU1TZ08FTXjffAFgpvxKK00m5hxvKrkZ0Bqmh3GG5K/G3
7dRdNKkAPoocBbOy3hwtwU61EgNrKRumNl/M5gcaRYwBV27YXvBsvwIDAQABo4IB
ZjCCAWIwHAYDVR0RBBUwE4IRc2VjdXJlLnRvcm9udG8uY2EwCQYDVR0TBAIwADAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEG
A1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1j
Yi5jb20vY3BzMCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBh
MB8GA1UdIwQYMBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMCsGA1UdHwQkMCIwIKAe
oByGGmh0dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3JsMFcGCCsGAQUFBwEBBEswSTAf
BggrBgEFBQcwAYYTaHR0cDovL3NkLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0
cDovL3NkLnN5bWNiLmNvbS9zZC5jcnQwDQYJKoZIhvcNAQEFBQADggEBACmV9Q6g
KougvgnCPSItcved21qdGRtO2u8/LrOwI9BnKeXcDCg7824zCbD3y2q7X0GlbjoW
BFcfH0ZZX1NTer2V/AUK1cn3oOi0EUJH628AhED/HC3ld4Rpw+I8twp0aJNbo+1t
P6NBoTm3dQoMUlGhULGIgrMTtM6oRDQtqp/Qez3OBHRlqdlxardAV7ybDIvWH9pd
hyGwUp+4Kuv9n234D8Tc081B4Q0omGDwRozXd7rf1rBJFALY+1qonVRkquYE0krU
KNI0M9XjnqN61ynjkrIHO1WkeFaoXy4/7oLRHbLCSWqexSYSuWMGeVAPvCtowtXl
hyQyq2k6pA8zXVU=
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=Toronto/O=City of Toronto/OU=Technology Infrastructure Services - macau-w1/CN=secure.toronto.ca
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4853 bytes and written 636 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID: 00000D2AD210CD02429618321FAA1D60105219435858585857471DBB000016D0
    Session-ID-ctx: 
    Master-Key: DDEF69EA999B9A7FA1AAA0AE94D5F3A00F5F9FF5F47D854BAC1621B018CC81751C17BCE855B6FE497AD99445EAE5830C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1464278459
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

DONE


So, there you have it.  Whilst the city tells you it's secure, both the browser and the openssl tool verification gives errors or refuses to show the padlock.