interesting issue found yesterday

Hi all,

Here's an interesting one I stumbled upon yesterday.  I'm posting it here 
for folks to consider, comment, and possibly help us in building the 
various recommendations we're starting to build.  I have tried to 
obfuscate the specific companies involved, but I suspect you may wind up 
seeing through it anyway.

I received a notice that the battery in my notebook computer may be 
recalled.  It had a link in it for the company's support site.  (e-mail 
message came from IBM support - seemed to have all the right icons - 
looked like a Notes ID sent it, not a Internet mail address)

At the company's support site, I was prompted for my battery serial number 
- I provided it since this isn't information that identifies me personally 
and I can understand needing this information to help me out, and then was 
told that yes, indeed, my battery was being recalled.

To get the replacement, I was dropped into a page (SSL-protected) to enter 
my name/address info for shipping purposes.  Here's where it got 
interesting.

On page load - Firefox popped up a message telling me it didn't like the 
company's Server certificate!!!  So I investigated.  The indication was 
that the cert was signed by an unknown signer.  So I looked at the signer 
information.  It said "Verisign Class 3 ..." from "Verisign. Inc.".

So I looked at my set of known CA signer certificates ... I have 3 (count 
'em 3) Verisign Class 3 CA signer certificates known to my Firefox 
install.

So how could it be that I don't have the "right one"?  (actually, I know 
how it could be - Verisign created a new one, and I didn't know I was 
supposed to go out and get it ... or I have a Firefox install that hadn't 
had the right CA signer's update applied).

Everything looks right ... even to my eyes which ought to know better ... 
what could possibly be the issue?

I went back to the site this morning to try and re-create but alas, it 
won't let me enter the same battery serial number twice so I can't get to 
the page.

Bottom line - even after doing everything I thought I should do to check, 
I was still dumbfounded as to what the problem/issue was.  And yes, sad as 
it sounds, I boldly accepted/closed the pop-up boxes and entered my 
address anyway.  After all, I don't want my battery to melt my kitchen 
table so I had to tell them my shipping address.

Was it a configuration issue or did I just get phished? ... and how would 
my mother know the difference if it was her trying to figure it out?

I'm looking forward to your comments on this.  How would we tell end 
users, server site administrators, help desk personnel, and others how to 
address such a situation?  Who could be considered to be "at fault" (if 
anyone)?

Regards,
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530

Received on Wednesday, 14 March 2007 14:03:04 UTC