On Sunday 20 Apr 2014 10:21:08 Matti Nykyri wrote: > On Apr 20, 2014, at 11:49, Mick wrote: > > On Sunday 20 Apr 2014 01:18:43 Peter Humphrey wrote: > >> On Saturday 19 Apr 2014 18:43:50 Matti Nykyri wrote: > >>> Well you can use ssllabs.com. I use it for debuging. Here is what Bank > >>> of America uses: > >>> > >>> https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.com&hi > >>> de Res ults=on > >> > >> Well, that's an eye-opener and no mistake. I see my bank is rated B > >> overall. Could be worse I suppose. Maybe I should forward the results to > >> them. > > > > Many banks, businesses and public institutions have to cater for the > > lowest common denominator, or their help lines would be inundated with > > irate customers being asked to first reboot their MSWindows PC. Until > > the beginning of April 2014 this would have been a WinXP user with MSIE > > 8.0. In Europe up to 25% of all PCs are still on WinXP. This counts > > out anything exotic in encryption capabilities, like ECDHE and ECDSA, > > because it is only the latest versions of Firefox and Chrome that can > > use these. > > Yes, this is true. Even gentoo doesn't have a stable firefox that supports > TLSv1.2 highest security ciphers C030 and C02C > (ECDHE-RSA/ECDSA-AES256-GMC-SHA384). But wht banks should do they should > support the most secure ciphers and sort their ciphers lists so that the > most secure are at the top. Because what I understood is that browsers > will by default use the first cipher in the order the server sent them it > supports and not go through the entire list. I think the browsers go through the list, but agree to support the first server preferred cipher that is also supported by the client, even if it is lower in the list of preferred ciphers on the client: http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html > A security aware user can ofcourse disable all the bad ciphers he foesn't > want to use in his own browser. Now if he tries to connect to a poorly > secured site the connection will fail until a common cipher is found. But > what is important you will know when you try to make an insecure > connection. > > > This is the reason that banks also employ some other means of > > authentication, in addition to your user ID; e.g. they typically ask > > you to enter a few characters out of your password (different each > > time), or additional secret data like the name of your favourite > > teacher, mother's maiden name and the like. > > > > Unless someone was recording each and every login of yours with the bank > > and kept a record of each and every password character you ever typed > > they may still not be able to login, without locking up the account and > > triggering an offline replacement of your password. > > NSA has this capability. Also i think most of the largest ISPs are capable > to do it. All this requires is enough HD space, private key of any CA > enabled x509 certificate and access to any router between you and the bank > or DNS poisoning of your computer. In Europe I think that the situation for ISPs capturing data is not settled yet. I seem to recall that Germany and Belgium disputed in court a European Directive (Data Retention Directive 2006) to capture and store users data. I think that they eventually were forced to implement part of the directive - who needs GDR's STASI these days! :p In the UK data is kept for 1-2 years, but that is only what they let us know. A few days ago the EU Court of Justice declared the directive invalid/unlawful, but that has been kept quiet in the media. -- Regards, Mick