Client side Security, How’s My SSL? (.com)

https

Years ago,

Moxie Marlinspike taught us that web-browser hints such as a “lock icon” in the address bar, didn’t guarantee ciphered communication. Since the website you are visiting still happily falls back to plain http since you, the user, made an effort to not be redirected from a clear to ciphered session… Not really. Man-In-The-Middle is so very unforgiving to its victims.

Even though major websites, the giants, such as Facebook, Google and Micro$oft products such as Outlook.com. Has mitigated this fallback bug somehow. Smaller websites, such as Intranets and self-hosted WordPress blogs, is still vulnerable. Two-factor authentication solves the credentials issue, this is about privacy and information sanity. TLS or not, what cipher am I using anyway?

There is a website, Howsmyssl.com, which tells you what encryption ciphers are currently being used by the browser, in the order the browser sends them. Also, it list common and newly discovered vulnerabilies in the SSL/TLS protocol. What I find particularly interesting, is the cipher suites listed at the bottom of the page. To still see RC4 is getting very tedious…

Lab Time!

Just for fun, I disabled all the insecure ciphers I could find and made TLS1.1 the minimum required TLS version in Mozilla Firefox. For the first two weeks, every https I visited worked fine. Until I had some banking piled up at the end of the month…

Apparently my bank still uses TLS1! Mozilla won’t let me continue! And what’s even more surprising, is that the error message speaks of SSL3? For two protocols with only three years apart, maybe there isn’t much difference?

Nevertheless, I called my banks end-user technical support and explained the issue. And what did they tell me? To use another browser…

Conclusion

With the big scary Internet growing and tighter supervised than ever. Datacenters spinning with almost unlimited capacity, these 90’ts encryption protocols are surely broken. The old reheated excuses for large company’s to not implement https -not enough capacity, bandwidth, offloading etc- don’t apply anymore.

Out with the old, in with the new

 

Leave a Reply

Your email address will not be published. Required fields are marked *