Closed Bug 1135966 Opened 6 years ago Closed 5 years ago

Banco do Brasil's internet banking platform is RC4-only

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: cesarb, Unassigned)

References

()

Details

The online banking website for Banco do Brasil (one of the biggest banks in Brazil) is RC4-only. The hostnames I know of are www2.bancobrasil.com.br (main site) and www41.bb.com.br (auxiliary site). There's also cva.bb.com.br (homebroker), but even though Qualys says it's RC4-only, for some reason Firefox can connect to it using TLS_DHE_RSA_WITH_AES_128_CBC_SHA.
Blocks: 1124039
Status: UNCONFIRMED → NEW
Ever confirmed: true
No longer blocks: 1124039
Found another RC4-only one: www28.bb.com.br
Found yet another RC4-only one: www73.bb.com.br
Their homebroker is now at hbk.bb.com.br. I now believe their homebroker to be an heterogeneous set of servers behind a sticky load balancer, for the following reason: yesterday, I couldn't access it without disabling DHE because Firefox gave me a "weak dh" error, while at the same time Qualys told me it was RC4-only (thus no DHE). Disabling both DHE and RC4 worked.

Today, I can access it from Firefox with TLS_RSA_WITH_AES_128_CBC_SHA (RC4 is disabled, but DHE enabled), while Qualys tells me Firefox would use TLS_DHE_RSA_WITH_AES_128_CBC_SHA (and a 768-bit DH key).

Therefore, I believe hbk.bb.com.br should also be added to the RC4 whitelist, since at least one of its servers is RC4-only.
So the recently-released Java 8u51 disables RC4 by default (http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html).

That online banking website requires a Java-based "security module".

A few days ago, I noticed that a couple of these formerly RC4-only domains are now accepting a non-RC4 cipher suite (according to Qualys, TLS_RSA_WITH_AES_128_CBC_SHA).

Coincidence? I think not!

(The fixed servers are www2.bancobrasil.com.br and www41.bb.com.br, the rest still seem to be broken.)
All reported servers are fixed.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.