Closed Bug 1135966 Opened 6 years ago Closed 5 years ago
Banco do Brasil's internet banking platform is RC4-only
The online banking website for Banco do Brasil (one of the biggest banks in Brazil) is RC4-only. The hostnames I know of are www2.bancobrasil.com.br (main site) and www41.bb.com.br (auxiliary site). There's also cva.bb.com.br (homebroker), but even though Qualys says it's RC4-only, for some reason Firefox can connect to it using TLS_DHE_RSA_WITH_AES_128_CBC_SHA.
Found another RC4-only one: www28.bb.com.br
Found yet another RC4-only one: www73.bb.com.br
Their homebroker is now at hbk.bb.com.br. I now believe their homebroker to be an heterogeneous set of servers behind a sticky load balancer, for the following reason: yesterday, I couldn't access it without disabling DHE because Firefox gave me a "weak dh" error, while at the same time Qualys told me it was RC4-only (thus no DHE). Disabling both DHE and RC4 worked. Today, I can access it from Firefox with TLS_RSA_WITH_AES_128_CBC_SHA (RC4 is disabled, but DHE enabled), while Qualys tells me Firefox would use TLS_DHE_RSA_WITH_AES_128_CBC_SHA (and a 768-bit DH key). Therefore, I believe hbk.bb.com.br should also be added to the RC4 whitelist, since at least one of its servers is RC4-only.
So the recently-released Java 8u51 disables RC4 by default (http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html). That online banking website requires a Java-based "security module". A few days ago, I noticed that a couple of these formerly RC4-only domains are now accepting a non-RC4 cipher suite (according to Qualys, TLS_RSA_WITH_AES_128_CBC_SHA). Coincidence? I think not! (The fixed servers are www2.bancobrasil.com.br and www41.bb.com.br, the rest still seem to be broken.)
All reported servers are fixed.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.