On Saturday 19 Apr 2014 19:41:02 Dale wrote: > Mick wrote: > > and look for this info: > > > > New, TLSv1/SSLv3, Cipher is RC4-SHA > > Server public key is 2048 bit > > Secure Renegotiation IS NOT supported > > Compression: NONE > > Expansion: NONE > > > > SSL-Session: > > Protocol : TLSv1 > > Cipher : RC4-SHA > > I have this little padlock looking thing too. I dug around and found > this info: > > CN = VeriSign Class 3 Extended Validation SSL SGC CA > OU = Terms of use at https://www.verisign.com/rpa (c)06 > OU = VeriSign Trust Network > O = "VeriSign, Inc." > C = US > > PKCS #1 RSA Encryption > > There is another place with info but it doesn't allow me to highlight it > so that I can copy and paste. Hmmmmmm. > > Anyway, is that reasonable for a bank to use? In case you haven't > noticed, I'm not a wealth of info on encryption, just rich in > questions. I just know that it is supposed to make things unreadable > without a password, pass key or whatever. > > This is currently my bank. > > http://cadencebank.com/ > > Since they changed to a card that a lot of stores don't take, that could > be changing real soon.
You need to go to the URL that they provide for secure banking, not the home page of their main website. They seem to offer a lot of services under different URLs. Not all of them have the same level of protection. Picking two URLs at random: The Fluent account login page takes me to: https://portal.cadencebank.com/consumer/ and openssl s_client tells me: ====================================== New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA ====================================== So, they use TLSv1, as opposed to the latest TLSv1.2 and their digital signature is with the AES symmetric cipher with 128bit keys. This is considered safe enough for today. They also use the SHA1 hash which is less secure (if you are paranoid that someone may change the packets payload in flight). Since 2004 it was found that practical collision attacks could be launched on MD5, SHA-1, and other hash algorithms and NIST has launched a competition for the next secure hash SHA3. However, MD5 and SHA1 are used so widely today it could take a loooong time for them to disappear. However, picking up another banking service of theirs I see that they are using RC4 with MD5: ====================================== New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 ====================================== RC4 is considered completely broken today, even for Microsoft! :-) http://en.wikipedia.org/wiki/RC4 The good news are that your bank's servers do not leak any secrets at this moment and it seems they never did (they use SUN servers). -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
