<!--[if !mso]><style>v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style><![endif]--><!--[if gte mso 9]><xml> <o:shapedefaults v:ext="edit" spidmax="1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext="edit"> <o:idmap v:ext="edit" data="1" /> </o:shapelayout></xml><![endif]-->

Claire

Forgot to copy you in. We’ll see what Scott says.

 

 

David Stenhouse 


mob:
      021 226 6987

 

 

 

From: David Stenhouse
Sent: Monday, 8 July 2013 3:33 p.m.
To: Scott Savage ([email address])
Subject: FW: Site Certificate message
Importance: High

 

Hi Scott

Can you please let me know what we need to do to get this fixed. It appears to be at your end.

 

Thanks

 

 

David Stenhouse 

Manager Passenger Services

ENVIRONMENT CANTERBURY
37 Main North Rd,

Papanui,

Christchurch 

PO Box 345
Christchurch
New Zealand 


mob:
 021 226 6987
email:
david.stenhouse@ecan.govt.nz

website: www.metroinfo.org.nz

 

 

 

From: Claire Nicholls
Sent: Friday, 5 July 2013 9:23 a.m.
To: David Stenhouse
Subject: RE: Site Certificate message
Importance: High

 

Hi David

 

We are having issues with some users seeing a security message on our mymetrocard website that Ionata created. It’s taken us a while to figure out what is going on and it looks like it maybe a server issue. Ionata tell us they do not host the site on their server and Lyndon tells us it’s not hosted on a Snap server. Can you tell us where the server is and what it’s called? Is it Rivera or Init?

 

Regards

Claire

 

From: Lyndon Walker
Sent: Thursday, 4 July 2013 8:29 p.m.
To: [email address]
Cc: Claire Nicholls
Subject: RE: Site Certificate message

 

Thanks Martin

 

As Snap only provide us with our wide area networks and internet connection, I don’t believe that they have anyting to do with it

Could it be part of our Init equipment at Revera? Clarie?

 

Can you tell me the name of it?

Or another information that I would  find handy

 

I will  do a bit of research to the what where this server is

 

Cheers


Lyndon

 

 

From: Martin Anderson [mailto:[email address]]
Sent: Thursday, 4 July 2013 6:39 p.m.
To: Lyndon Walker
Cc: Claire Nicholls
Subject: Re: Site Certificate message

 

Hi Lyndon

 

Regarding the report you that you provided. We don't actually manage the web server.

 

I believe Snap provides the server itself. We don't have an SLA with ECAN covering server maintenance.

 

We installed the certificate as provided so in this case I'm not sure what else we can do.


 

Kind regards,

 

Martin Anderson

 

Image removed by sender.

www.ionata.com.au

P: (03) 6231 9110
M: 0438 515 595

 

On 1 July 2013 07:13, Lyndon Walker <[email address]> wrote:

Claire

The way the certificate works is to check its validity when the site is loaded

The browser, either on the phone, laptop, tablet, pc or whatever goes out to the internet to a CA (Certificate Authority) to confirm its authenticity

This appears to be failing for these users

 

Does she have access to a PC to try this on?

 

Martin,

We do however need to tighten up the webserver itself, she may have some fancy ssl checker software loaded which is suggesting that she doesn’t continue

See the following report

https://www.ssllabs.com/ssltest/analyze.html?d=metrocard.metroinfo.co.nz&hideResults=on

 

Cheers,

Lyndon

 

 

From: Claire Nicholls
Sent: Monday, 1 July 2013 9:06 a.m.
To: Lyndon Walker
Subject: FW: Site Certificate message

 

Morning Lyndon

 

Did we get anywhere with the below? I would like to solve the problem when possible.

 

Kind regards

Claire

 

From: Peter and Victoria [mailto:[email address]]
Sent: Thursday, 27 June 2013 9:20 p.m.
To: Claire Nicholls
Subject: RE: Site Certificate message

 

Hi Claire,

Thank you for the update.  The message I sent you earlier was from our Android tablet.  So I thought I would try on my Android phone, but I am getting a similar message.  This time it says the security certificate has expired.  My husband suggested I try rebooting the phone and clearing the cache, but I am still getting the expired message. 
He has just tried to get a balance on his Android phone and is getting the same message as I got earlier today on the tablet.  I attach some screen shots from his phone which may be of help.

I don't feel happy using the website to pay using my credit card. If you have any other ideas, please let me know.

Thanks,
Victoria Brown

Hi Victoria

 

I’ve had our teams internally and externally have a look at why you are getting the message. At the moment you’re the only person who has experienced it. Our security certificate was updated approx. two weeks ago and it has been confirmed that it is working correctly. This means that you can ignore the message and continue to top up using a credit card, the site is secure and will work correctly.

 

The team have noticed that the message recognises your device as a mobile and are looking into why it would be coming up on a mobile device.

 

One reason that has been mentioned to me a few times is that it could be that your computer security settings. They could be  very high and restrictive and this may be why you are getting the message when the security licence is completely fine.

 

We are still looking into why it has shown up on your screen, I just wanted to give you an update this afternoon. In the meantime please feel free to ignore the message and continue to use the site.

 

Kind regards

Claire

 

 

cid:image001.png@01CE763A.DC659A70

PO Box 345, Christchurch 8140, New Zealand
Customer Services:
0800 324 636

cid:image002.png@01CE763A.DC659A70cid:image003.png@01CE763A.DC659A70cid:image004.png@01CE763A.DC659A70

Claire Nicholls
Operations Administrator

Passenger Services Team
Environment Canterbury

[mobile number]
[email address]

cid:image005.png@01CE763A.DC659A70

cid:image006.png@01CE763A.DC659A70

cid:image007.png@01CE763A.DC659A70

 

 

 

 

From: Peter and Victoria [mailto:[email address]]
Sent: Thursday, 27 June 2013 9:12 a.m.
To: Claire Nicholls
Subject: Site Certificate message

 

Hi Claire,

Here's the message I got when I tried to login to top up my son's metro card.  I do not work for an organisation, I'm just a stay-at-home-mom!

Thanks for your help.
Victoria Brown

The site's security certificate is not trusted!
You attempted to reach metrocard.metroinfo.co.nz, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications.
You should not proceed, especially if you have never seen this warning before for this site.
Proceed anyway  Back to safety
Help me understand
When you connect to a secure website, the server hosting that site presents your browser with something called a "certificate" to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your mobile device trusts. By checking that the address on the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended and not a third party (such as an attacker on your network).

In this case, the certificate has not been verified by a third party that your mobile device trusts. Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with metrocard.metroinfo.co.nz instead of an attacker who generated his own certificate claiming to be metrocard.metroinfo.co.nz. You should not proceed past this point.

If, however, you work in an organisation that generates its own certificates and you are trying to connect to an internal website of that organisation using such a certificate, you may be able to solve this problem securely. You can import your organisation's root certificate as a "root certificate", and then certificates issued or verified by your organisation will be trusted and you will not see this error next time you try to connect to an internal website. Contact your organisation's help staff for assistance in adding a new root certificate to your mobile device.