Topic: Dwolla's SSL certificate has been revoked (Read 5943 times)

Interesting, most CAs that I have met require a payment for the full validity period, but maybe Verisign has a payment plan because they are so damn expensive for EV certs.

Also, epic fail not paying bills.

Apparently they revoke it if you miss a payment.

They responded with this:

So Verisign issued a 2 year cert, even though Dwolla only paid for one? That's odd, wonder if it was actually the other way around.

Dwolla’s SSL certificate had a minor issue. The SSL certificate was purchased for one year, however, was given a two-year expiration date. This is part of our routine monitoring.

Dwolla realized this error and migrated the certificate to another vendor as an interim solution. Dwolla will revert to our old SSL vendor, a two-year, paid certificate, later this week.

I would like to know what's going on with your SSL certificate. The following statement is made at this link: http://help.dwolla.com/customer/portal/articles/86685-security-partner-overview

"VeriSign EV Certificate and Encryption

Extended Validation SSL Certificates give high-security web browsers information to clearly identify a web site’s organizational identity. VeriSign is an industry leading EV solution provider.  Our certificate provides a 128-bit minimum to 256-bit encryption."

but you are actually using a cheap Godaddy certificate. I see that one or more EV certificates from Verisign have been revoked.... Have you had a security incident that you should have warned customers about? Certificates don't just get revoked without a damn good reason, and I feel that this is something extremely important that you need to address.

The only public communication that I have been able to find in regards to this issue is a single Twitter message that says the following:

"‏@dwolla

Working with our partners at @verisign and @symantec to look into a certificate issue some of our users are reporting. Still secure."

but absolutely no communication after that message, posted on the 21st of July, 2012, 10 days ago.

I would appreciate your prompt response in regards to this matter so that I can be assured of your continued security and the security of any data about me that you have stored there.

Thank you and regards,

Who owns GoDaddy?

Because the user chooses that notary themselves.

how does one know they can trust the 'network notary' server?

how does one know they can trust the 'network notary' server? It seems like one more point of potential breach to me to bypass the CA's and then rely on yet another place for verification of SSL certs. Granted I did not read through to see how they address the trust issue.

Perspectives takes a different approach to how the web browser determines if an SSL certificate is valid.  Instead of requiring browser users to trust an anointed group of certificate authorities, Perspectives gives users the ability to pick a group they trust (e.g., the EFF, Google, their company, their university, their group of friends, etc.) and trust no one else.

How is this possible?  Perspectives has a decentralized model that let’s anyone run one or more “network notary servers”.  A network notary server is connected to the Internet and regularly monitors websites to build a history of the SSL certificate used by each site.  Notary servers or groups of notary servers may be operated by public organizations, private companies, or even individuals.

Rather than validating an SSL certificate by checking for certificate authority approval, with Perspectives the browser validates a certificate by checking for consistency with the certificates observed by the network notaries over time.  With network notary servers spread around the world and keeping a history of data, it is VERY hard for an attacker to launch a man-in-the-middle attack (see our academic paper for a full security analysis).

Just like a user picks which search engine their browser will use, they user can also choose what group(s) of network notaries they will trust.  The user him/herself  can choose whether they trust Comodo, the U.S government, the Chinese government, or not.  And because all notary data is public, the quality of different network notaries can be measured and evaluated by anyone, creating a market for better security.

Stay calm, here is the solution about the certificates problem http://perspectives-project.org/

Call me a conspiracy theorist, but I believe this is The Powers That Be (TPTB) using their influence at Verisign to interfere with bitcoin.

A few months ago, I have had similar problems with Firefox telling me that the certificates were not valid on the Intersango, Mt Gox, and btc-e.com.

Even today, my android phone will not let me use MtGox Mobile app due to some problem with the certificate.

IMO TPTB use certificates authorities and anti-virus software like Norton to implement a casual form of website blacklisting.

Ridiculous.  When "TPTB" start giving a shit about Bitcoin, they won't interfere with some passive-aggressive certificate revocation scheme.  They'll come at it with guns blazing.

Call me a conspiracy theorist, but I believe this is The Powers That Be (TPTB) using their influence at Verisign to interfere with bitcoin.

A few months ago, I have had similar problems with Firefox telling me that the certificates were not valid on the Intersango, Mt Gox, and btc-e.com.

Even today, my android phone will not let me use MtGox Mobile app due to some problem with the certificate.

IMO TPTB use certificates authorities and anti-virus software like Norton to implement a casual form of website blacklisting.

Call me a conspiracy theorist, but I believe this is The Powers That Be (TPTB) using their influence at Verisign to interfere with bitcoin.

A few months ago, I have had similar problems with Firefox telling me that the certificates were not valid on the Intersango, Mt Gox, and btc-e.com.

Even today, my android phone will not let me use MtGox Mobile app due to some problem with the certificate.

IMO TPTB use certificates authorities and anti-virus software like Norton to implement a casual form of website blacklisting.