StumbleUpon | Hobbadehoy's favorites

18 November 2009

Norwegian Netbanks SSL Certificates (use of Extended Validation)

I had some fun today, going through some of the Norwegian netbanks SSL-Certificates. I questions was if they used Certificates with extended validation. You know those certificates giving a green address bar in your browser.  My results shows that it's only 1/4 of the banks that are using it. 


Those banks that host their own dedicated netbank should upgrade to a Extended validation certificate next time. And of course make sure that  you have your own company name in the Organization part of the Certificate and not IBM Danmark.

The other banks that are hosted by EDB, well. Would you like to promote your bank or your partner?
I can't see how they can start using extended validation certificates without starting to promote EDB.

Here are the results:

Bank
DNS
Cert.Organization
Valid to /from
Extended Validation
DnB NOR
www.dnbnor.no
DnB NOR Bank ASA
13.11.08 - 14.11.10
Yes
Nordea
nettbanken.nordea.no
Nordea Bank Norge ASA
05.02.09 - 03.03.10
No
Sparebank 1 Oslo & Akershus
www2.sparebank1.no
SpareBank 1 Gruppen
22.10.09 - 24.10.11
Yes
Sparebank Vest
nettbank.spv.no
Sparebank Vest
19.01.09 - 20.01.11
Yes
Fokus Bank
nettbank.fokus.no
Danske Bank AS
17.06.08 - 18.06.10
No
Skandiabanken
secure.skandiabanken.no
Forsakringsaktiebolaget Skandia (publ)
11.05.09 - 12.05.11
Yes
Gjensidige Bank
www.gjensidige.no
GJENSIDIGE FORSIKRING BA
22.09.09 - 23.09.11
No
Bank2
www.terra.as
Terra Gruppen AS
30.09.09 - 17.12.10
No
Bank Norwegian
nettbank.banknorwegian.no
IBM Danmark A/S
22.09.09 - 23.09.11
No
YA Bank
www.portalbank.no
IBM Danmark A/S
11.07.08 - 12.07.10
No
Then you have all the banks using the services of EDB Business partner.
This is banks like: SEB Privatbanken, Storebrand Bank, BNP Paribas Oslo Branch, Handelsbanken and Verdibanken.
They all use the same server at EDB:
DNS
Cert.Organization
Valid to /from
Extended Validation
nettbank.edb.com
EDB Business Partner ASA
22.07.09 - 22.08.11
No
The Bank Santander, the bank behind begyrfri.no, are using another EDB Business partner, https://secure.edb.com, with a valid certificate from 27.10.08 to 28.10.11



Other information that I found in my search and that I find funny:

17 November 2009

the surprising science of motivation

Career analyst Dan Pink examines the puzzle of motivation, starting with a fact that social scientists know but most managers don't: Traditional rewards aren't always as effective as we think. 
 




Source: http://www.ted.com

27 October 2009

The problem of implementing the EU Data Retention Directive

I Norway there is now a lot of debate about the EU Directive for Data Retention. The question is if Norway should implement this or not. The Government in Norway is split on this question, even thou both The Data Inspectorate and Art.29 Data Protection Working Party has warned against it.

Why shouldn’t we implement the Data Retention Directive if it can help us solve and fight crime?

Because we can’t implement it in a secure manner!

When we start storing these types of data it must be stored with the following three principles in mind:

  • Only authorized personnel has access
  • The information only is used for authorized purposes
  • The person is informed when information about him/here is used.


This will never be implemented because it costs a lot of money and the companies holding that data hasn’t got enough interest in doing it. (And the government will surely not pay for it.)

The Data needed to implement the Directive will be stored by hundreds of different tele-companies. These companies are storing data today, but only for the purpose of billing. The laws of today are actually quite strict on this, telling the tele-companies to store as little personnel information as possible. This means that these companies don’t have a lot of smart authorization rules built into their systems today. They don’t have the need.


If the EU Directive for Data Retention is implemented, the different tele-companies will be required to store personnel information along side with the everything else. The goverment will not support them with money in this process but just require them to comply.

The result:

  • Hundreds of different insecure systems collecting personell information about you.

See the articles about this topic at: The Data Inspectorate.