Lloyds TSB certificate glitch sparks concerns
Trust no one
Online banking customers logging onto the Lloyds TSB website on Friday morning were confronted by potentially confusing warnings about a security certificate.
Consumers were greeted with a "website certified by an unknown authority" pop-up message for *.clickshift.com after accessing online.lloydstsb.co.uk.
The domain involved is not an essential part of the Lloyds site, so refusing the certificate doesn't cause a problem. The certificate involved is attached to a webtrends stats gathering engine.
Instead of advising customers to refuse the certificate, Lloyds TSB online banking staff told Reg readers to click OK when the SSL security error popped up. So users are being asked to ignore a warning about the possibility that confidential information might be stolen by someone pretending to be clickshift.com, an entity few are likely to recognise in the first place.
"Given all the scams that you are advised to look out for, you would have thought the bank would have been quicker to advise people to not accept it and deal with the pop ups rather than train customers to just say yes blindly," said Reg reader Zoe, summarising the concerns about the site several of you have written to us about this morning. "It's worrying in its own right that a UK bank is using a hosted web stats gathering engine, thus transferring all page visit information to another set of servers not under their control," she added.
Lloyds TSB responded promptly to our requests for comment on the matter, confirming that punters phoning up with concerns are been advised to accept the certificate. A spokeswoman for the site acknowledged the situation was far from ideal and could give rise to security concerns among its online banking customers.
She said the certificate glitch was nothing to worry about, adding that customers should be assured that Lloyds TSB would take its site offline in the event of a serious security concern.
The cause of the certificate glitch is not immediately clear. Lloyds TSB is working on the problem, which it hopes to resolve sometime later this afternoon. ®
I've been unable to access Lloyds TSB (even the www.lloydstsb.com) since 27 April
I can't load the log-on page in either Firefox OR I.E. Neither can I access the basic www.lloydstsb.com.
I've phoned the lloyds tsb online helpdesk, who talked me through a complete deletion of cookies, histories etc, but no good.
They've also suggested I contact my ISP, (Madasafish).
Is anyone else still experiencing problems, please?
Warning overrides toss SSL's security
This "unknown issuer" warning is caused by a simple server configuration error that is trivial for the server administrator to fix.
How sad that a financial institution would advise (and hence train) their customers to ignore this vital browser warning and thereby defeat the security that SSL otherwise provides those users, instead of getting their business partner to correct the server misconfiguration!
These "unknown issuer" warnings are the very same warnings that the browser gives if it is visiting an ATTACKER's web site. Users ignore (and override) that warning at their own peril! Responsible server administrators will do the necessary things within their power to prevent their users from experiencing those errors.
Lloyds TSB Cookies
I have been unable to login to LloydsTSB, without selecting the "Allow Session Cookies" check box (Tools..Internet Options..Privacy...Advanced) since IE7 was installed. I rang Lloyds help desk and was told that they hadn't done any testing on IE7 so couldn't solve the problem. Fact is I use a program called CookiePal to control cookies. Anyway I seem to have resolved the problem by adding mi.lloydstsb.com as an acceptable cookie in the CookiePal program. What surprised me is the number of "non" lloyds cookies that are offered during login. I don't expect my bank to force unwanted ad-cookies onto my system.