Recent Bank of Ireland outage, no SSL Certificate

Joe Public was seriously inconvenienced for about a day recently by the outage of Banking365, confronted with the message of no SSL Certificate. I think Joe Public deserves to know what might have happened.

For folk who no little or nothing I’ll put it simply that in order for safe encrypted transfers to take place between you, and the bank in this case, an SSL Certificate needs to be in place. For anyone curious, SSL stands for Secure Sockets Layer, and the secure bit is obvious to anyone. These need to be renewed periodically as things can change, this can be done through management software or a human being in the organisation. In any case a human would/should be overseeing that all this is in order.

For anyone interested encryption here works by a pair of keys, a public and private key, the pairing or handshake happens with every transaction you do through likes of Banking 365. Happens with your WhatsApp messages too, we are informed. Data cannot be seen without both keys, and the private key should be kept secret to the organisation’s system.

There are a number of possibilities of why a site, as happened with Banking365, displayed No SSL Cert. One is that the cert was let expire by lack of oversight, plain carelessness at a most basic level. Are we to believe BOI let this happen, by not having proper management of it in place on a software and human level? It’s possible.

Another possibility is that a human revoked the certified on an emergency basis because it got compromised, ie leaked out to a bad actor. This would be a serious matter with a lot of implications.

Third possibility is a malfunction of the software managing the certificate. A fourth possibility is someone purposefully revoked cert to take the site offline for sone reason unknown, like pulling the fuel cut off valve in an airline to stop the engine.

Anyone else have thoughts on this?

Crash

First one didn't stack up right? Browser will display expired cert error in that case, not no cert.

https://www.boards.ie/discussion/comment/120795371#Comment_120795371

Exactly, none of scenario 1, 2 or 4 would have resulted in a No SSL Cert error. Someone needs to recode the site.

https://www.boards.ie/discussion/comment/120795371#Comment_120795371

I can’t recall exactly what the message was, I had no urgent transactions to complete. I’ll see if I have a screenshot of it.

Crash

At a guess, considering what I've seen happen in the past is likely that it's very much an "infrastructure as code" release process, they probably had a release, for whatever reason there was some discrepancy around how staging and prod managed credential deployment (or they were identical, but a pre-step was missed) and they pushed out their production stack with a cert missing. Then scrambled to roll back their release process, or fix the release bug and redeploy.

I don't work in fintech, but regardless of whether you're banking or not, the end result is downed product for a chunk of time. Even in my industry it'd be a pretty unpleasant post mortem and awkward customer questions.

Found the BOI thread. Another user left a screenshot of invalid SSL.

https://www.boards.ie/discussion/comment/120795410#Comment_120795410

Fits the category of the third possibility, and most likely what happened.

L1011

It wasn't "no" SSL cert, it was an expired SSL cert. There is a HUGE difference.

tnegun

Agree the way the opening post is written you'd think they operated over HTTP for a period. Did anyone actually look at the cert that was presented details? That would give a proper indication of what happend.

https://www.boards.ie/discussion/comment/120814874#Comment_120814874

I was working from memory only, hadn’t the app to hand… all I knew was it an a ssl issue that was preventing people gaining access to bank app. I didn’t need to access my own account at the time but I was watching on Twitter tons of people not being able to make payments. It certainly was rather an inconvenience that a lot of people missed important payments.