Saturday, July 18, 2009

Liberty Mutual web site disappoints on SSL security

I tried to login to the Liberty Mutual web site the other day and found some annoying things.
  1. The main Liberty Mutual web page at http://www.libertymutual.com/ includes a login form. Given that the page is not secured with SSL, I can't trust the login form. Given that https://www.libertymutual.com/ exists, the unsecured site should just redirect there.

    I looked at Wells Fargo's web site, and I am actually pretty happy with the way Wells Fargo handles this issue. Both http://wellsfargo.com/ and http://www.wellsfargo.com/ redirect to https://www.wellsfargo.com/.

    I am amazed at the frequecy with which this error is made. A login form should never appear on an unsecured page.
  2. Liberty Mutual has had a misconfigured SSL certificate on the site that handles their logins (https://pmeservice.libertymutual.com/LMAuth/eservicelog.fcc). See the screenshot to the left for the screenshot from Firefox. Basically, I think they don't have the whole certificate chain configured properly, so my browser can't check the authenticity of the certificate. I figured this out by looking at the certificate chain that my browser was getting from the site. See below.

    If you call their support line, they have the worst possible workaround. I was told to simply create a browser exception for the certificate. I might have been willing to do that if they would have least been able to verify the SHA1 fingerprint of the key, but the support folks didn't know what that was.

    Frankly, I think it's quite irresponsible to be running their website like this as I think it greatly increases the chances of an MITM attack.
  3. Finally, I also saw that the Liberty Mutual website is Cybertrust certified, so I sent an email the the support for that about the situation. They emailed back and claimed that I didn't understand how SSL certs worked. I replied with a more detailed description. Hopefully, they will understand what my problem is this time around.
All of these issues are still problem today. For (2), how does an SSL certificate error like that stay unfixed for days? That seems like a level of incompetence to me. Is there a better explanation?

UPDATE Sun. July 19, 2009: I just looked up their site report on Netcraft. Check it out. Is says the following for certificate check: "unable to get local issuer certificate". Someone should be answering some hard questions for letting this issue go on for the 4 or 5 days that it has been going on so far.

UPDATE: Mon. July 20, 2009: I just looked at the site again, and Liberty Mutual has finally fixed it. The fact that it took so long to fix the issue makes me want to corner the CIO and ask him what took so long. Since the issue is fixed, the Netcraft report also is able to verify the certificate now.