Closed
Bug 1135966
Opened 10 years ago
Closed 9 years ago
Banco do Brasil's internet banking platform is RC4-only
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: cesarb, Unassigned)
References
()
Details
The online banking website for Banco do Brasil (one of the biggest banks in Brazil) is RC4-only. The hostnames I know of are www2.bancobrasil.com.br (main site) and www41.bb.com.br (auxiliary site). There's also cva.bb.com.br (homebroker), but even though Qualys says it's RC4-only, for some reason Firefox can connect to it using TLS_DHE_RSA_WITH_AES_128_CBC_SHA.
Updated•10 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•10 years ago
|
Blocks: RC4-Dependence
Reporter | ||
Comment 1•10 years ago
|
||
Found another RC4-only one: www28.bb.com.br
Reporter | ||
Comment 2•9 years ago
|
||
Found yet another RC4-only one: www73.bb.com.br
Reporter | ||
Comment 3•9 years ago
|
||
Their homebroker is now at hbk.bb.com.br. I now believe their homebroker to be an heterogeneous set of servers behind a sticky load balancer, for the following reason: yesterday, I couldn't access it without disabling DHE because Firefox gave me a "weak dh" error, while at the same time Qualys told me it was RC4-only (thus no DHE). Disabling both DHE and RC4 worked.
Today, I can access it from Firefox with TLS_RSA_WITH_AES_128_CBC_SHA (RC4 is disabled, but DHE enabled), while Qualys tells me Firefox would use TLS_DHE_RSA_WITH_AES_128_CBC_SHA (and a 768-bit DH key).
Therefore, I believe hbk.bb.com.br should also be added to the RC4 whitelist, since at least one of its servers is RC4-only.
Reporter | ||
Comment 4•9 years ago
|
||
So the recently-released Java 8u51 disables RC4 by default (http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html).
That online banking website requires a Java-based "security module".
A few days ago, I noticed that a couple of these formerly RC4-only domains are now accepting a non-RC4 cipher suite (according to Qualys, TLS_RSA_WITH_AES_128_CBC_SHA).
Coincidence? I think not!
(The fixed servers are www2.bancobrasil.com.br and www41.bb.com.br, the rest still seem to be broken.)
Comment 5•9 years ago
|
||
All reported servers are fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•