Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'ve been checking out various TLS certificates lately and noticed that most of

ID: 659720 • Letter: I

Question

I've been checking out various TLS certificates lately and noticed that most of the banks seem to have the following two issues:

1) They do not offer perfect forward secrecy

2) They are still using RC4

So far, all the ones I've checked (TD, JPMorgan, CIBC, Wells Fargo, Bank of America, ING/Tangerine, RBC) use

TLS_RSA_WITH_RC4_128_SHA

Though actually CitiGroup and Goldman Sachs are using AES in CBC mode with 256 bit keys, instead of RC4, but still, no forward secrecy, and I would think GCM+SHA256 is better than CBC+SHA, even with 128 bit keys vs 256.

On the other hand, google, facebook, linkedin, and bitcoin exchanges/sites do offer perfect forward secrecy (typically with ECDHE), and unanimously use AES in GCM mode with SHA256 and 128 bit keys.

So my question: why have our banks not upgraded their security, especially given recent attacks on RC4 (though they are mostly theoretical, they do point to possible issues, and RC4 is generally considered less secure than AES)? Also, why would they not offer perfect forward secrecy? Is that an oversight on their part, or possibly for regulatory reasons?

I nearly emailed my bank about this today, but figured I'd throw the question up here first. Of course, cyber attacks on banks are all the rage these days - they ought to use the best encryption they can.

Explanation / Answer

Banks are usually not known to work in an agile way and quickly follow the latest developments. Like with lots of other large companies there is lots of paper work involved if somebody tries to change something, which costs efforts, man power, time and thus money. I don't think that a system administrator just can decide to change the ciphers. Instead it must justify the change against upper management, it must be approved, then tested and then they need to find a maintenance window to apply the change.

Also, the technical side might not be as simple as just changing a cipher in the servers config. There might be load balancers involved which have only (hardware accelerated) support for a limited set of ciphers (mostly RC4 and DES3). Also they might deploy deep inspection IDS up front which can deal with RSA based key exchange provided they have the private key of the servers certificate. But this will not work any longer if the server uses (EC)DH key exchanges to provide forward security.

Together you have lots of management and technical challenges. And unless there are some requirements by law to use better ciphers, only few (if any) resources will be allocated for such a project, which means a change will take a long long time.

Related Questions

I\'ve added a new variable: Democracy. It is a binary variable where 0-non-democ
Question #3363574
I\'ve added a new variable: Democracy. It is a binary variable where 0-non-democ
Question #3363576
I\'ve already asked this question the answer was incomplet/confusing, so only an
Question #72435
I\'ve already completed part 1 and now working on part II. These codes are what
Question #3798200
I\'ve already completed the symbol table I just need help with the questions on
Question #3826928
I\'ve already created the classes asked in the last two pictures(in JAVA), I\'ve
Question #3675198
I\'ve already done these calculations, but I want to make sure they\'re complete
Question #825890
I\'ve already finished parts A-E. I need assistance with the last two parts if y
Question #1785736
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'ve been catching up with the modern client-side JS ecosystem and reading up o
Next
I\'ve been considering moving to a new city (getting seduced by those big city l

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.