Mick wrote: > On Saturday 19 Apr 2014 19:41:02 Dale wrote: >> Mick wrote: > >>> and look for this info: >>> >>> New, TLSv1/SSLv3, Cipher is RC4-SHA >>> Server public key is 2048 bit >>> Secure Renegotiation IS NOT supported >>> Compression: NONE >>> Expansion: NONE >>> >>> SSL-Session: >>> Protocol : TLSv1 >>> Cipher : RC4-SHA >> >> I have this little padlock looking thing too. I dug around and found >> this info: >> >> CN = VeriSign Class 3 Extended Validation SSL SGC CA >> OU = Terms of use at https://www.verisign.com/rpa (c)06 >> OU = VeriSign Trust Network >> O = "VeriSign, Inc." >> C = US >> >> PKCS #1 RSA Encryption >> >> There is another place with info but it doesn't allow me to highlight it >> so that I can copy and paste. Hmmmmmm. >> >> Anyway, is that reasonable for a bank to use? In case you haven't >> noticed, I'm not a wealth of info on encryption, just rich in >> questions. I just know that it is supposed to make things unreadable >> without a password, pass key or whatever. >> >> This is currently my bank. >> >> http://cadencebank.com/ >> >> Since they changed to a card that a lot of stores don't take, that could >> be changing real soon. > > You need to go to the URL that they provide for secure banking, not the home > page of their main website. They seem to offer a lot of services under > different URLs. Not all of them have the same level of protection. Picking > two URLs at random: > > The Fluent account login page takes me to: > > https://portal.cadencebank.com/consumer/ > > and openssl s_client tells me: > > ====================================== > New, TLSv1/SSLv3, Cipher is AES128-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : AES128-SHA > ====================================== > > So, they use TLSv1, as opposed to the latest TLSv1.2 and their digital > signature is with the AES symmetric cipher with 128bit keys. This is > considered safe enough for today. They also use the SHA1 hash which is less > secure (if you are paranoid that someone may change the packets payload in > flight). Since 2004 it was found that practical collision attacks could be > launched on MD5, SHA-1, and other hash algorithms and NIST has launched a > competition for the next secure hash SHA3. However, MD5 and SHA1 are used so > widely today it could take a loooong time for them to disappear. > > > However, picking up another banking service of theirs I see that they are > using RC4 with MD5: > > ====================================== > New, TLSv1/SSLv3, Cipher is RC4-MD5 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : RC4-MD5 > ====================================== > > RC4 is considered completely broken today, even for Microsoft! :-) > > http://en.wikipedia.org/wiki/RC4 > > > The good news are that your bank's servers do not leak any secrets at this > moment and it seems they never did (they use SUN servers). > Yet. I would rather not be the next customer to have his ID stolen like Target, I think the chain Micheal's was stolen in the past couple days but not positive on that yet. That bank is not a small bank and I pay fees each month for them to be able to keep their stuff updated. If they can't be bothered to keep it updated and then turn around and give me a card that sucks, well, oh well. < picture a thumbs up here > Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!