From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1219F138A1F for ; Sun, 20 Apr 2014 09:10:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1E795E0AB2; Sun, 20 Apr 2014 09:10:47 +0000 (UTC) Received: from mail-yh0-f48.google.com (mail-yh0-f48.google.com [209.85.213.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EFB03E0A89 for ; Sun, 20 Apr 2014 09:10:45 +0000 (UTC) Received: by mail-yh0-f48.google.com with SMTP id z6so2684788yhz.7 for ; Sun, 20 Apr 2014 02:10:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=tuk7QlAuI5AgzbnLxc3Q1SOXTc1x6rexNtFdkdvYPYI=; b=oW1MnUIAtBR8b8EpNfCySGmiuUT4RMokW9yk6z9zTerTKnuNCQERD4YjaxOqq5Cx2+ splgZzAWho+qDLwnOwGYvNYIG4UiyAH9SKgEoRqNX7htM0EgYXbv0eiBGyOk8Do5WQWh 16DBzp+fD98zP0EFeQ3TBE34dp/jzI7x8JCi5G/mp6Bbn199tKixVGWdMZPEsJwn7LpW gxsMw1VjvXQjz0m5wwtk/FM3PX2k+L+tg3nKPXG+3bzE9eu+IDsOO/oBiYvBxiCsmB1t N0xasvnX77zb2rJKV/urRx/rTUtzjkMXyWGaKVikSXhQR6KFsr2o3Ldj8PFZqykNKtY8 MZ0A== X-Received: by 10.236.194.169 with SMTP id m29mr38306yhn.121.1397985045226; Sun, 20 Apr 2014 02:10:45 -0700 (PDT) Received: from [192.168.2.5] (adsl-98-95-150-165.jan.bellsouth.net. [98.95.150.165]) by mx.google.com with ESMTPSA id m23sm63307685yho.15.2014.04.20.02.10.43 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 Apr 2014 02:10:44 -0700 (PDT) Message-ID: <53538F12.7080600@gmail.com> Date: Sun, 20 Apr 2014 04:10:42 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Heartbleed fix - question re: replacing self-signed certs with real ones References: <201404171649.57228.michaelkintzios@gmail.com> <201404191711.33377.michaelkintzios@gmail.com> <5352C33E.7070802@gmail.com> <201404200927.54238.michaelkintzios@gmail.com> In-Reply-To: <201404200927.54238.michaelkintzios@gmail.com> X-Enigmail-Version: 1.6 Content-Type: multipart/alternative; boundary="------------070408070708010409040501" X-Archives-Salt: 9575f9e5-027b-4a9c-adf3-05608cc98bb4 X-Archives-Hash: 3164c7db1bb84a30e97bd5df7d0da4f6 This is a multi-part message in MIME format. --------------070408070708010409040501 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Mick wrote: > On Saturday 19 Apr 2014 19:41:02 Dale wrote: >> Mick wrote: > >>> and look for this info: >>> >>> New, TLSv1/SSLv3, Cipher is RC4-SHA >>> Server public key is 2048 bit >>> Secure Renegotiation IS NOT supported >>> Compression: NONE >>> Expansion: NONE >>> >>> SSL-Session: >>> Protocol : TLSv1 >>> Cipher : RC4-SHA >> >> I have this little padlock looking thing too. I dug around and found >> this info: >> >> CN = VeriSign Class 3 Extended Validation SSL SGC CA >> OU = Terms of use at https://www.verisign.com/rpa (c)06 >> OU = VeriSign Trust Network >> O = "VeriSign, Inc." >> C = US >> >> PKCS #1 RSA Encryption >> >> There is another place with info but it doesn't allow me to highlight it >> so that I can copy and paste. Hmmmmmm. >> >> Anyway, is that reasonable for a bank to use? In case you haven't >> noticed, I'm not a wealth of info on encryption, just rich in >> questions. I just know that it is supposed to make things unreadable >> without a password, pass key or whatever. >> >> This is currently my bank. >> >> http://cadencebank.com/ >> >> Since they changed to a card that a lot of stores don't take, that could >> be changing real soon. > > You need to go to the URL that they provide for secure banking, not the home > page of their main website. They seem to offer a lot of services under > different URLs. Not all of them have the same level of protection. Picking > two URLs at random: > > The Fluent account login page takes me to: > > https://portal.cadencebank.com/consumer/ > > and openssl s_client tells me: > > ====================================== > New, TLSv1/SSLv3, Cipher is AES128-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : AES128-SHA > ====================================== > > So, they use TLSv1, as opposed to the latest TLSv1.2 and their digital > signature is with the AES symmetric cipher with 128bit keys. This is > considered safe enough for today. They also use the SHA1 hash which is less > secure (if you are paranoid that someone may change the packets payload in > flight). Since 2004 it was found that practical collision attacks could be > launched on MD5, SHA-1, and other hash algorithms and NIST has launched a > competition for the next secure hash SHA3. However, MD5 and SHA1 are used so > widely today it could take a loooong time for them to disappear. > > > However, picking up another banking service of theirs I see that they are > using RC4 with MD5: > > ====================================== > New, TLSv1/SSLv3, Cipher is RC4-MD5 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : RC4-MD5 > ====================================== > > RC4 is considered completely broken today, even for Microsoft! :-) > > http://en.wikipedia.org/wiki/RC4 > > > The good news are that your bank's servers do not leak any secrets at this > moment and it seems they never did (they use SUN servers). > Yet. I would rather not be the next customer to have his ID stolen like Target, I think the chain Micheal's was stolen in the past couple days but not positive on that yet. That bank is not a small bank and I pay fees each month for them to be able to keep their stuff updated. If they can't be bothered to keep it updated and then turn around and give me a card that sucks, well, oh well. < picture a thumbs up here > Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words! --------------070408070708010409040501 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Mick wrote:
> On Saturday 19 Apr 2014 19:41:02 Dale wrote:
>> Mick wrote:
>
>>> and look for this info:
>>>
>>> New, TLSv1/SSLv3, Cipher is RC4-SHA
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS NOT supported
>>> Compression: NONE
>>> Expansion: NONE
>>>
>>> SSL-Session:
>>>     Protocol  : TLSv1
>>>     Cipher    : RC4-SHA
>>
>> I have this little padlock looking thing too.  I dug around and found
>> this info:
>>
>> CN = VeriSign Class 3 Extended Validation SSL SGC CA
>> OU = Terms of use at https://www.verisign.com/rpa (c)06
>> OU = VeriSign Trust Network
>> O = "VeriSign, Inc."
>> C = US
>>
>> PKCS #1 RSA Encryption
>>
>> There is another place with info but it doesn't allow me to highlight it
>> so that I can copy and paste.  Hmmmmmm.
>>
>> Anyway, is that reasonable for a bank to use?  In case you haven't
>> noticed, I'm not a wealth of info on encryption, just rich in
>> questions.  I just know that it is supposed to make things unreadable
>> without a password, pass key or whatever.
>>
>> This is currently my bank.
>>
>> http://cadencebank.com/
>>
>> Since they changed to a card that a lot of stores don't take, that could
>> be changing real soon.
>
> You need to go to the URL that they provide for secure banking, not the home
> page of their main website.  They seem to offer a lot of services under
> different URLs.  Not all of them have the same level of protection.  Picking
> two URLs at random:
>
> The Fluent account login page takes me to:
>
>   https://portal.cadencebank.com/consumer/
>
> and openssl s_client tells me:
>
> ======================================
> New, TLSv1/SSLv3, Cipher is AES128-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES128-SHA
> ======================================
>
> So, they use TLSv1, as opposed to the latest TLSv1.2 and their digital
> signature is with the AES symmetric cipher with 128bit keys. This is
> considered safe enough for today. They also use the SHA1 hash which is less
> secure (if you are paranoid that someone may change the packets payload in
> flight).  Since 2004 it was found that practical collision attacks could be
> launched on MD5, SHA-1, and other hash algorithms and NIST has launched a
> competition for the next secure hash SHA3.  However, MD5 and SHA1 are used so
> widely today it could take a loooong time for them to disappear.
>
>
> However, picking up another banking service of theirs I see that they are
> using RC4 with MD5:
>
> ======================================
> New, TLSv1/SSLv3, Cipher is RC4-MD5
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : RC4-MD5
> ======================================
>
> RC4 is considered completely broken today, even for Microsoft!  :-)
>
>   http://en.wikipedia.org/wiki/RC4
>
>
> The good news are that your bank's servers do not leak any secrets at this
> moment and it seems they never did (they use SUN servers).
>

Yet.  I would rather not be the next customer to have his ID stolen like Target, I think the chain Micheal's was stolen in the past couple days but not positive on that yet.

That bank is not a small bank and I pay fees each month for them to be able to keep their stuff updated.  If they can't be bothered to keep it updated and then turn around and give me a card that sucks, well, oh well.  < picture a thumbs up here >

Dale

:-)  :-)

--
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

--------------070408070708010409040501--