Mick wrote:
> On Saturday 19 Apr 2014
19:41:02 Dale wrote:
>> Mick wrote:
>
>>> and look for this info:
>>>
>>> New, TLSv1/SSLv3, Cipher is RC4-SHA
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS NOT supported
>>> Compression: NONE
>>> Expansion: NONE
>>>
>>> SSL-Session:
>>> Protocol : TLSv1
>>> Cipher : RC4-SHA
>>
>> I have this little padlock looking thing too. I dug
around and found
>> this info:
>>
>> CN = VeriSign Class 3 Extended Validation SSL SGC CA
>> OU = Terms of use at https://www.verisign.com/rpa (c)06
>> OU = VeriSign Trust Network
>> O = "VeriSign, Inc."
>> C = US
>>
>> PKCS #1 RSA Encryption
>>
>> There is another place with info but it doesn't allow me
to highlight it
>> so that I can copy and paste. Hmmmmmm.
>>
>> Anyway, is that reasonable for a bank to use? In case
you haven't
>> noticed, I'm not a wealth of info on encryption, just
rich in
>> questions. I just know that it is supposed to make
things unreadable
>> without a password, pass key or whatever.
>>
>> This is currently my bank.
>>
>> http://cadencebank.com/
>>
>> Since they changed to a card that a lot of stores don't
take, that could
>> be changing real soon.
>
> You need to go to the URL that they provide for secure
banking, not the home
> page of their main website. They seem to offer a lot of
services under
> different URLs. Not all of them have the same level of
protection. Picking
> two URLs at random:
>
> The Fluent account login page takes me to:
>
> https://portal.cadencebank.com/consumer/
>
> and openssl s_client tells me:
>
> ======================================
> New, TLSv1/SSLv3, Cipher is AES128-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES128-SHA
> ======================================
>
> So, they use TLSv1, as opposed to the latest TLSv1.2 and
their digital
> signature is with the AES symmetric cipher with 128bit keys.
This is
> considered safe enough for today. They also use the SHA1 hash
which is less
> secure (if you are paranoid that someone may change the
packets payload in
> flight). Since 2004 it was found that practical collision
attacks could be
> launched on MD5, SHA-1, and other hash algorithms and NIST
has launched a
> competition for the next secure hash SHA3. However, MD5 and
SHA1 are used so
> widely today it could take a loooong time for them to
disappear.
>
>
> However, picking up another banking service of theirs I see
that they are
> using RC4 with MD5:
>
> ======================================
> New, TLSv1/SSLv3, Cipher is RC4-MD5
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : RC4-MD5
> ======================================
>
> RC4 is considered completely broken today, even for
Microsoft! :-)
>
> http://en.wikipedia.org/wiki/RC4
>
>
> The good news are that your bank's servers do not leak any
secrets at this
> moment and it seems they never did (they use SUN servers).
>
Yet. I would rather not be the next customer to have his ID stolen
like Target, I think the chain Micheal's was stolen in the past
couple days but not positive on that yet.
That bank is not a small bank and I pay fees each month for them to
be able to keep their stuff updated. If they can't be bothered to
keep it updated and then turn around and give me a card that sucks,
well, oh well. < picture a thumbs up here >
Dale
:-) :-)
--
I am only responsible for what I said ... Not for what you
understood or how you interpreted my words!