From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id AD0AC138A1F for ; Sun, 20 Apr 2014 09:21:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3D4DFE0ADB; Sun, 20 Apr 2014 09:21:22 +0000 (UTC) Received: from lyseo.edu.ouka.fi (unknown [82.128.138.2]) by pigeon.gentoo.org (Postfix) with ESMTP id 1CC30E0AC3 for ; Sun, 20 Apr 2014 09:21:21 +0000 (UTC) Received: from [10.178.212.91] (85-76-69-77-nat.elisa-mobile.fi [85.76.69.77]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by lyseo.edu.ouka.fi (Postfix) with ESMTPSA id DB169193F980 for ; Sun, 20 Apr 2014 12:21:12 +0300 (EEST) Subject: Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones References: <201404171649.57228.michaelkintzios@gmail.com> <0E54F746-D111-4689-8156-786BFC3FA136@iki.fi> <1630607.30WOdBlsZ7@wstn> <201404200949.46359.michaelkintzios@gmail.com> From: Matti Nykyri Content-Type: text/plain; charset=us-ascii X-Mailer: iPhone Mail (9B206) In-Reply-To: <201404200949.46359.michaelkintzios@gmail.com> Message-Id: <2B56788B-6DD0-4874-8DA4-9EDB9EF68D6E@iki.fi> Date: Sun, 20 Apr 2014 12:21:08 +0300 To: "gentoo-user@lists.gentoo.org" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 (1.0) X-Archives-Salt: 718f3f42-cf34-4c1b-a54f-dc7f7b8cff81 X-Archives-Hash: 4b91631783c30b0870ec8db300ace5c4 On Apr 20, 2014, at 11:49, Mick wrote: > On Sunday 20 Apr 2014 01:18:43 Peter Humphrey wrote: >> On Saturday 19 Apr 2014 18:43:50 Matti Nykyri wrote: >>> Well you can use ssllabs.com. I use it for debuging. Here is what Bank o= f >>> America uses: >>>=20 >>> https://www.ssllabs.com/ssltest/analyze.html?d=3Dwww.bankofamerica.com&h= ide >>> Res ults=3Don >>=20 >> Well, that's an eye-opener and no mistake. I see my bank is rated B >> overall. Could be worse I suppose. Maybe I should forward the results to >> them. >=20 > Many banks, businesses and public institutions have to cater for the lowes= t=20 > common denominator, or their help lines would be inundated with irate=20 > customers being asked to first reboot their MSWindows PC. Until the begin= ning=20 > of April 2014 this would have been a WinXP user with MSIE 8.0. In Europe u= p=20 > to 25% of all PCs are still on WinXP. This counts out anything exotic in=20= > encryption capabilities, like ECDHE and ECDSA, because it is only the late= st=20 > versions of Firefox and Chrome that can use these. Yes, this is true. Even gentoo doesn't have a stable firefox that supports T= LSv1.2 highest security ciphers C030 and C02C (ECDHE-RSA/ECDSA-AES256-GMC-SH= A384). But wht banks should do they should support the most secure ciphers a= nd sort their ciphers lists so that the most secure are at the top. Because w= hat I understood is that browsers will by default use the first cipher in th= e order the server sent them it supports and not go through the entire list.= A security aware user can ofcourse disable all the bad ciphers he foesn't wa= nt to use in his own browser. Now if he tries to connect to a poorly secured= site the connection will fail until a common cipher is found. But what is i= mportant you will know when you try to make an insecure connection. > This is the reason that banks also employ some other means of authenticati= on,=20 > in addition to your user ID; e.g. they typically ask you to enter a few=20= > characters out of your password (different each time), or additional secre= t=20 > data like the name of your favourite teacher, mother's maiden name and the= =20 > like. >=20 > Unless someone was recording each and every login of yours with the bank a= nd=20 > kept a record of each and every password character you ever typed they may= =20 > still not be able to login, without locking up the account and triggering a= n=20 > offline replacement of your password. NSA has this capability. Also i think most of the largest ISPs are capable t= o do it. All this requires is enough HD space, private key of any CA enabled= x509 certificate and access to any router between you and the bank or DNS p= oisoning of your computer. > So I suspect they assume that the Internet connection to their servers sho= uld=20 > be treated as less than private and have deployed additional mean= s of=20 > at least stopping unauthorised transactions online. --=20 -Matti=