Mick wrote:
> On Sunday 20 Apr 2014 10:10:42
Dale wrote:
>> Mick wrote:
>
>>> SSL-Session:
>>> Protocol : TLSv1
>>> Cipher : RC4-MD5
>>>
>>> ======================================
>>>
>>> RC4 is considered completely broken today, even for
Microsoft! :-)
>>>
>>> http://en.wikipedia.org/wiki/RC4
>>>
>>> The good news are that your bank's servers do not
leak any secrets at
>>> this moment and it seems they never did (they use SUN
servers).
>>
>> Yet. I would rather not be the next customer to have his
ID stolen like
>> Target, I think the chain Micheal's was stolen in the
past couple days
>> but not positive on that yet.
>>
>> That bank is not a small bank and I pay fees each month
for them to be
>> able to keep their stuff updated. If they can't be
bothered to keep it
>> updated and then turn around and give me a card that
sucks, well, oh
>> well. < picture a thumbs up here >
>
> Just a 1/3 of all websites offer TLSv1.2 at the moment and
hardly any public
> sites offer it as an exclusive encryption protocol, because
they would lock
> out most of their visitors. This is because most browsers do
not yet support
> it. MSWindows 8.1 MSIE 11 now offers TLSv1.2 by default and
has dropped the
> RC4 cipher (since November last year). I understand they are
planning to drop
> SHA-1 next Christmas and have already dropped MD5 because of
the Flame
> malware. This should push many websites to sort out their
encryption and SSL
> certificates and move away from using RC4 and SHA1 or MD5.
As I said RC4 has
> been reverted to by many sites as an immediate if interim
defence against the
> infamous BEAST and Lucky Thirteen attacks.
>
> According to the Netcraft SSL Survey (May 2013) only a third
of all web
> servers out there offer Perfect Forward Secrecy to ensure
that even if the
> encryption keys were to be compromised, previous
communications cannot be
> retrospectively decrypted.
>
> Elliptic Curve algorithms are not yet included in many
browsers and in any
> case the security of these in a post-Snowden world should be
questionable
> (well, at least the arbitrarily specified NIST-NSA sponsored
curves, which
> OpenSSL is heavily impregnated with).
>
> What I'm saying is that there may be no perfect banking
website out there,
> because Internet security is screwed up at the moment, but it
is always worth
> looking for a better bet.
>
Well, my bank only got a C for it's grade. For what it costs every
month, it should get a A+. I don't have one of those free checking
accounts. I pay fees each month for mine. Plus I have already been
planning to switch ever since they switched my debit card from Visa
to Discover. I'm tired of finding something online or going into a
business to buy something and then find out they don't take
Discover. It's just a matter of speed of switching that has
changed.
Basically, just one more nail in the coffin.
Dale
:-) :-)
--
I am only responsible for what I said ... Not for what you
understood or how you interpreted my words!