Mick wrote: > On Sunday 20 Apr 2014 10:10:42 Dale wrote: >> Mick wrote: > >>> SSL-Session: >>> Protocol : TLSv1 >>> Cipher : RC4-MD5 >>> >>> ====================================== >>> >>> RC4 is considered completely broken today, even for Microsoft! :-) >>> >>> http://en.wikipedia.org/wiki/RC4 >>> >>> The good news are that your bank's servers do not leak any secrets at >>> this moment and it seems they never did (they use SUN servers). >> >> Yet. I would rather not be the next customer to have his ID stolen like >> Target, I think the chain Micheal's was stolen in the past couple days >> but not positive on that yet. >> >> That bank is not a small bank and I pay fees each month for them to be >> able to keep their stuff updated. If they can't be bothered to keep it >> updated and then turn around and give me a card that sucks, well, oh >> well. < picture a thumbs up here > > > Just a 1/3 of all websites offer TLSv1.2 at the moment and hardly any public > sites offer it as an exclusive encryption protocol, because they would lock > out most of their visitors. This is because most browsers do not yet support > it. MSWindows 8.1 MSIE 11 now offers TLSv1.2 by default and has dropped the > RC4 cipher (since November last year). I understand they are planning to drop > SHA-1 next Christmas and have already dropped MD5 because of the Flame > malware. This should push many websites to sort out their encryption and SSL > certificates and move away from using RC4 and SHA1 or MD5. As I said RC4 has > been reverted to by many sites as an immediate if interim defence against the > infamous BEAST and Lucky Thirteen attacks. > > According to the Netcraft SSL Survey (May 2013) only a third of all web > servers out there offer Perfect Forward Secrecy to ensure that even if the > encryption keys were to be compromised, previous communications cannot be > retrospectively decrypted. > > Elliptic Curve algorithms are not yet included in many browsers and in any > case the security of these in a post-Snowden world should be questionable > (well, at least the arbitrarily specified NIST-NSA sponsored curves, which > OpenSSL is heavily impregnated with). > > What I'm saying is that there may be no perfect banking website out there, > because Internet security is screwed up at the moment, but it is always worth > looking for a better bet. >
Well, my bank only got a C for it's grade. For what it costs every month, it should get a A+. I don't have one of those free checking accounts. I pay fees each month for mine. Plus I have already been planning to switch ever since they switched my debit card from Visa to Discover. I'm tired of finding something online or going into a business to buy something and then find out they don't take Discover. It's just a matter of speed of switching that has changed. Basically, just one more nail in the coffin. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
