On Sunday 20 Apr 2014 10:10:42 Dale wrote: > Mick wrote: > > SSL-Session: > > Protocol : TLSv1 > > Cipher : RC4-MD5 > > > > ====================================== > > > > RC4 is considered completely broken today, even for Microsoft! :-) > > > > http://en.wikipedia.org/wiki/RC4 > > > > The good news are that your bank's servers do not leak any secrets at > > this moment and it seems they never did (they use SUN servers). > > Yet. I would rather not be the next customer to have his ID stolen like > Target, I think the chain Micheal's was stolen in the past couple days > but not positive on that yet. > > That bank is not a small bank and I pay fees each month for them to be > able to keep their stuff updated. If they can't be bothered to keep it > updated and then turn around and give me a card that sucks, well, oh > well. < picture a thumbs up here >
Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly any public sites offer it as an exclusive encryption protocol, because they would lock out most of their visitors. This is because most browsers do not yet support it. MSWindows 8.1 MSIE 11 now offers TLSv1.2 by default and has dropped the RC4 cipher (since November last year). I understand they are planning to drop SHA-1 next Christmas and have already dropped MD5 because of the Flame malware. This should push many websites to sort out their encryption and SSL certificates and move away from using RC4 and SHA1 or MD5. As I said RC4 has been reverted to by many sites as an immediate if interim defence against the infamous BEAST and Lucky Thirteen attacks. According to the Netcraft SSL Survey (May 2013) only a third of all web servers out there offer Perfect Forward Secrecy to ensure that even if the encryption keys were to be compromised, previous communications cannot be retrospectively decrypted. Elliptic Curve algorithms are not yet included in many browsers and in any case the security of these in a post-Snowden world should be questionable (well, at least the arbitrarily specified NIST-NSA sponsored curves, which OpenSSL is heavily impregnated with). What I'm saying is that there may be no perfect banking website out there, because Internet security is screwed up at the moment, but it is always worth looking for a better bet. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
