1

I visited my bank's web banking site and clicked on the Green Lock in the address bar of my Google Chrome browser out of curiosity.

Under the "Connections" tab Chrome spits out this disturbing warning.

"Your connection to netbanking.mybankname.com is encrypted with obsolete cryptography. The connection used TLS 1.2. The connection is encrypted using 3DES_EDE_CBC with SHA1 for message authentication and RSA as the key exchange mechanism"

How worrying is this? Is there anything I can do at the client end to mitigate my risks?

Is emailing my bank about this a reasonable course of action? Or is Google being over-sensitive?

peterh
  • 2,938
  • 6
  • 25
  • 31
curious_cat
  • 1,013
  • 1
  • 11
  • 18

2 Answers2

4

The website is using SHA1 certificates to provide security. The new Chrome browser is showing it as a weak algorithm, because most of the organizations are already migrated to SHA2 certificates. It is just a warning, it does not mean that it would be a non-secured connection.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Tatarao Vana
  • 139
  • 2
  • 1
    It's not the certificate, as the linked #85532 (and #83831) clearly explain. "...CBC with SHA1 for message authentication" is the HMAC, not the cert. Chrome calls any data cipher other than AES-GCM or CHACHA-POLY "obsolete cryptography". A SHA1-signed cert (past end of the year) gives a **different** warning, "outdated security settings". – dave_thompson_085 Jun 20 '15 at 10:38
0

You can try to update your web browser and maybe plugins. If your browser supports it, you can disable weak ciphers and apply custom order to ciphersuite. This can help you in this: https://www.ssllabs.com/ Everything else must be done at the server side.

Vilican
  • 2,703
  • 8
  • 21
  • 35
  • 1
    Chrome already enforces (very) strict settings, and can't usefully be changed. The server might be improved (AES and probably GCM and maybe CHACHA instead of 3DES, ECDHE and/or DHE instead of RSA), but not by the OP. – dave_thompson_085 Jun 20 '15 at 10:42
  • 1
    Yes, this is maily problem of the server. Chrome cannot be easily changed, but can be changed. Here is the solution for disabling RC4: http://fehlis.blogspot.cz/2013/12/how-to-disable-ssl-ciphers-in-google.html (you can disable other ciphers through this too) – Vilican Jun 20 '15 at 13:56