On Sunday 20 Apr 2014 01:18:43 Peter Humphrey wrote: > On Saturday 19 Apr 2014 18:43:50 Matti Nykyri wrote: > > Well you can use ssllabs.com. I use it for debuging. Here is what Bank of > > America uses: > > > > https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.com&hide > > Res ults=on > > Well, that's an eye-opener and no mistake. I see my bank is rated B > overall. Could be worse I suppose. Maybe I should forward the results to > them.
Many banks, businesses and public institutions have to cater for the lowest common denominator, or their help lines would be inundated with irate customers being asked to first reboot their MSWindows PC. Until the beginning of April 2014 this would have been a WinXP user with MSIE 8.0. In Europe up to 25% of all PCs are still on WinXP. This counts out anything exotic in encryption capabilities, like ECDHE and ECDSA, because it is only the latest versions of Firefox and Chrome that can use these. This is the reason that banks also employ some other means of authentication, in addition to your user ID; e.g. they typically ask you to enter a few characters out of your password (different each time), or additional secret data like the name of your favourite teacher, mother's maiden name and the like. Unless someone was recording each and every login of yours with the bank and kept a record of each and every password character you ever typed they may still not be able to login, without locking up the account and triggering an offline replacement of your password. So I suspect they assume that the Internet connection to their servers should be treated as <aheam!> less than private and have deployed additional means of at least stopping unauthorised transactions online. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
