Norwegian Netbanks SSL Certificates (use of Extended Validation)

I had some fun today, going through some of the Norwegian netbanks SSL-Certificates. I questions was if they used Certificates with extended validation. You know those certificates giving a green address bar in your browser.  My results shows that it's only 1/4 of the banks that are using it. 


Those banks that host their own dedicated netbank should upgrade to a Extended validation certificate next time. And of course make sure that  you have your own company name in the Organization part of the Certificate and not IBM Danmark.

The other banks that are hosted by EDB, well. Would you like to promote your bank or your partner?
I can't see how they can start using extended validation certificates without starting to promote EDB.

Here are the results:

Bank	DNS	Cert.Organization	Valid to /from	Extended Validation
DnB NOR	www.dnbnor.no	DnB NOR Bank ASA	13.11.08 - 14.11.10	Yes
Nordea	nettbanken.nordea.no	Nordea Bank Norge ASA	05.02.09 - 03.03.10	No
Sparebank 1 Oslo & Akershus	www2.sparebank1.no	SpareBank 1 Gruppen	22.10.09 - 24.10.11	Yes
Sparebank Vest	nettbank.spv.no	Sparebank Vest	19.01.09 - 20.01.11	Yes
Fokus Bank	nettbank.fokus.no	Danske Bank AS	17.06.08 - 18.06.10	No
Skandiabanken	secure.skandiabanken.no	Forsakringsaktiebolaget Skandia (publ)	11.05.09 - 12.05.11	Yes
Gjensidige Bank	www.gjensidige.no	GJENSIDIGE FORSIKRING BA	22.09.09 - 23.09.11	No
Bank2	www.terra.as	Terra Gruppen AS	30.09.09 - 17.12.10	No
Bank Norwegian	nettbank.banknorwegian.no	IBM Danmark A/S	22.09.09 - 23.09.11	No
YA Bank	www.portalbank.no	IBM Danmark A/S	11.07.08 - 12.07.10	No

Then you have all the banks using the services of EDB Business partner.
This is banks like: SEB Privatbanken, Storebrand Bank, BNP Paribas Oslo Branch, Handelsbanken and Verdibanken.
They all use the same server at EDB:

DNS	Cert.Organization	Valid to /from	Extended Validation
nettbank.edb.com	EDB Business Partner ASA	22.07.09 - 22.08.11	No

The Bank Santander, the bank behind begyrfri.no, are using another EDB Business partner, https://secure.edb.com, with a valid certificate from 27.10.08 to 28.10.11



Other information that I found in my search and that I find funny:

• The e-mail address registered for the domain sparebank1.no is: Bent.Kristiansen@sparebank1.no. I wonder what type of information I can find about this guy?
• The e-mail address registered for the domain banknorwegian.no is: michael.myran@banknorwegian.no. I wonder what type of information I can find about this guy?
• Why are Skandiabanken shouting out that they use: Microsoft-IIS/6.0, AspNet-Version: 2.0.50727?
• Why are EDB business shouting out that they use: WebSphere Application Server/6.1?

the surprising science of motivation

Career analyst Dan Pink examines the puzzle of motivation, starting with a fact that social scientists know but most managers don't: Traditional rewards aren't always as effective as we think. 
 




Source: http://www.ted.com

The problem of implementing the EU Data Retention Directive

I Norway there is now a lot of debate about the EU Directive for Data Retention. The question is if Norway should implement this or not. The Government in Norway is split on this question, even thou both The Data Inspectorate and Art.29 Data Protection Working Party has warned against it.

Why shouldn’t we implement the Data Retention Directive if it can help us solve and fight crime?

Because we can’t implement it in a secure manner!

When we start storing these types of data it must be stored with the following three principles in mind:

• Only authorized personnel has access
• The information only is used for authorized purposes
• The person is informed when information about him/here is used.

This will never be implemented because it costs a lot of money and the companies holding that data hasn’t got enough interest in doing it. (And the government will surely not pay for it.)

The Data needed to implement the Directive will be stored by hundreds of different tele-companies. These companies are storing data today, but only for the purpose of billing. The laws of today are actually quite strict on this, telling the tele-companies to store as little personnel information as possible. This means that these companies don’t have a lot of smart authorization rules built into their systems today. They don’t have the need.


If the EU Directive for Data Retention is implemented, the different tele-companies will be required to store personnel information along side with the everything else. The goverment will not support them with money in this process but just require them to comply.

The result:

• Hundreds of different insecure systems collecting personell information about you.

See the articles about this topic at: The Data Inspectorate.