Mauritius Network Services, wrong SSL certificate

January 17, 2015

A while ago I came to know that Le Défi covered the MCB Coffee at Ebène defaced page in an article.

I tweeted the same ^^

During the past week a friend prompted me about an error he got on another local website, that of the Mauritius Network Services.

You clicked the link? If the SSL certificate isn’t fixed yet, you should be getting a page like this one.

mns-cert-1

What’s wrong with it? The domain name for the Mauritius Network Services is www.mns.mu, however the certificate installed corresponds to ssl2.ovh.net. Thus, Chrome browser shoots up an error with a notification saying “unsafe”.

mns-cert-3

The certificate is issued by AlphaSSL to OVH. It is valid for the domain ssl2.ovh.net which does NOT belong to the Mauritius Network Services.

The certificate error raises a question about the practices & how come the SSL certificate of another organization got installed on the web server of the Mauritius Network Services?

Update #1

​I found other serious concerns about the web server configuration of the Mauritius Network Services. Most of the domain names used by the MNS ​show SSL certificate problems. They appear to use Apache as web server & Glassfish as application server, and seriously, I believe they have a lot of misconfiguration.

The only valid SSL certificate that MNS has is that of portalmns.mu which is issued by DigiCert.com. When you try accessing the other domains of MNS through HTTPS, e.g servicesmns.mu, the same certificate, that of portalmns.mu, loads up and consequently your browser notifies it’s “unsafe”. Even if you access https://www.portalmns.mu you should get the error since it is not a wildcard certificate, that is *.portalmns.mu. The sub-domains cannot use this certificate.

www-portalmns-mu

As per my observation www.mns.mu and www.portalmns.mu are not on the same server, however SSL certificate configuration are incorrect on both ends.

I sent the “customer service” an email yesterday to notify them of the MNS vs OVH SSL certificate mistake. Once they reply I’ll raise the alarm on the other issues pertaining to their various domains.

Services under servicesmns.mu include e-Judiciary.

mns-ejudiciary-project

With the widespread SSL misconfiguration around, should we assume that data pertaining to judiciary matters are transferred over an unsecured network? What if the data is transferred in plain text?

mns-ejudiciary-invalid-token

Considering the sensitivity of judiciary matters, I believe this is wrong.