Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones

[Matti Nykyri <matti.nykyri@iki.fi>]

On Apr 20, 2014, at 11:49, Mick <michaelkintzios@gmail.com> wrote:

> On Sunday 20 Apr 2014 01:18:43 Peter Humphrey wrote:
>> On Saturday 19 Apr 2014 18:43:50 Matti Nykyri wrote:
>>> Well you can use ssllabs.com. I use it for debuging. Here is what Bank of
>>> America uses:
>>> 
>>> https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.com&hide
>>> Res ults=on
>> 
>> Well, that's an eye-opener and no mistake. I see my bank is rated B
>> overall. Could be worse I suppose. Maybe I should forward the results to
>> them.
> 
> Many banks, businesses and public institutions have to cater for the lowest 
> common denominator, or their help lines would be inundated with irate 
> customers being asked to first reboot their MSWindows PC.  Until the beginning 
> of April 2014 this would have been a WinXP user with MSIE 8.0.  In Europe up 
> to 25% of all PCs are still on WinXP.  This counts out anything exotic in 
> encryption capabilities, like ECDHE and ECDSA, because it is only the latest 
> versions of Firefox and Chrome that can use these.

Yes, this is true. Even gentoo doesn't have a stable firefox that supports TLSv1.2 highest security ciphers C030 and C02C (ECDHE-RSA/ECDSA-AES256-GMC-SHA384). But wht banks should do they should support the most secure ciphers and sort their ciphers lists so that the most secure are at the top. Because what I understood is that browsers will by default use the first cipher in the order the server sent them it supports and not go through the entire list.

A security aware user can ofcourse disable all the bad ciphers he foesn't want to use in his own browser. Now if he tries to connect to a poorly secured site the connection will fail until a common cipher is found. But what is important you will know when you try to make an insecure connection.

> This is the reason that banks also employ some other means of authentication, 
> in addition to your user ID;  e.g. they typically ask you to enter a few 
> characters out of your password (different each time), or additional secret 
> data like the name of your favourite teacher, mother's maiden name and the 
> like.
> 
> Unless someone was recording each and every login of yours with the bank and 
> kept a record of each and every password character you ever typed they may 
> still not be able to login, without locking up the account and triggering an 
> offline replacement of your password.

NSA has this capability. Also i think most of the largest ISPs are capable to do it. All this requires is enough HD space, private key of any CA enabled x509 certificate and access to any router between you and the bank or DNS poisoning of your computer.

> So I suspect they assume that the Internet connection to their servers should 
> be treated as <aheam!> less than private and have deployed additional means of 
> at least stopping unauthorised transactions online.

-- 
-Matti