From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones
Date: Sun, 20 Apr 2014 09:27:31 +0100 [thread overview]
Message-ID: <201404200927.54238.michaelkintzios@gmail.com> (raw)
In-Reply-To: <5352C33E.7070802@gmail.com>
[-- Attachment #1: Type: Text/Plain, Size: 3125 bytes --]
On Saturday 19 Apr 2014 19:41:02 Dale wrote:
> Mick wrote:
> > and look for this info:
> >
> > New, TLSv1/SSLv3, Cipher is RC4-SHA
> > Server public key is 2048 bit
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> >
> > SSL-Session:
> > Protocol : TLSv1
> > Cipher : RC4-SHA
>
> I have this little padlock looking thing too. I dug around and found
> this info:
>
> CN = VeriSign Class 3 Extended Validation SSL SGC CA
> OU = Terms of use at https://www.verisign.com/rpa (c)06
> OU = VeriSign Trust Network
> O = "VeriSign, Inc."
> C = US
>
> PKCS #1 RSA Encryption
>
> There is another place with info but it doesn't allow me to highlight it
> so that I can copy and paste. Hmmmmmm.
>
> Anyway, is that reasonable for a bank to use? In case you haven't
> noticed, I'm not a wealth of info on encryption, just rich in
> questions. I just know that it is supposed to make things unreadable
> without a password, pass key or whatever.
>
> This is currently my bank.
>
> http://cadencebank.com/
>
> Since they changed to a card that a lot of stores don't take, that could
> be changing real soon.
You need to go to the URL that they provide for secure banking, not the home
page of their main website. They seem to offer a lot of services under
different URLs. Not all of them have the same level of protection. Picking
two URLs at random:
The Fluent account login page takes me to:
https://portal.cadencebank.com/consumer/
and openssl s_client tells me:
======================================
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
======================================
So, they use TLSv1, as opposed to the latest TLSv1.2 and their digital
signature is with the AES symmetric cipher with 128bit keys. This is
considered safe enough for today. They also use the SHA1 hash which is less
secure (if you are paranoid that someone may change the packets payload in
flight). Since 2004 it was found that practical collision attacks could be
launched on MD5, SHA-1, and other hash algorithms and NIST has launched a
competition for the next secure hash SHA3. However, MD5 and SHA1 are used so
widely today it could take a loooong time for them to disappear.
However, picking up another banking service of theirs I see that they are
using RC4 with MD5:
======================================
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
======================================
RC4 is considered completely broken today, even for Microsoft! :-)
http://en.wikipedia.org/wiki/RC4
The good news are that your bank's servers do not leak any secrets at this
moment and it seems they never did (they use SUN servers).
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
next prev parent reply other threads:[~2014-04-20 8:28 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-16 10:52 [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones Tanstaafl
2014-04-16 11:14 ` Matti Nykyri
2014-04-16 17:56 ` Tanstaafl
2014-04-17 5:59 ` Matti Nykyri
2014-04-17 6:10 ` Mick
2014-04-17 14:40 ` Matti Nykyri
2014-04-17 15:49 ` Mick
2014-04-17 16:54 ` Joe User
2014-04-17 18:43 ` Matti Nykyri
2014-04-17 20:17 ` [gentoo-user] " walt
2014-04-18 5:50 ` Matti Nykyri
2014-04-18 14:27 ` Dale
2014-04-18 16:45 ` Mick
2014-04-18 18:08 ` Dale
2014-04-18 19:01 ` Mick
2014-04-18 20:27 ` Dale
2014-04-18 23:33 ` Mick
2014-04-19 15:29 ` Dale
2014-04-19 15:43 ` Matti Nykyri
2014-04-19 19:33 ` Dale
2014-04-19 19:43 ` Joe User
2014-04-19 21:23 ` Dale
2014-04-20 0:18 ` Peter Humphrey
2014-04-20 8:49 ` Mick
2014-04-20 9:21 ` Matti Nykyri
2014-04-20 10:26 ` Mick
2014-04-19 16:11 ` Mick
2014-04-19 18:41 ` Dale
2014-04-20 8:27 ` Mick [this message]
2014-04-20 9:10 ` Dale
2014-04-20 12:38 ` Mick
2014-04-20 16:40 ` Matti Nykyri
2014-04-20 17:20 ` Joe User
2014-04-21 6:57 ` Matti Nykyri
2014-04-20 18:36 ` Dale
2014-04-19 11:51 ` [gentoo-user] " Mick
2014-04-19 13:17 ` Joe User
2014-04-19 15:38 ` Matti Nykyri
2014-04-19 16:40 ` Joe User
2014-04-19 17:14 ` Mick
2014-04-20 23:20 ` Mick
2014-04-21 7:11 ` Matti Nykyri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201404200927.54238.michaelkintzios@gmail.com \
--to=michaelkintzios@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox