Closed Bug 1156441 Opened 10 years ago Closed 9 years ago

allbankonline.in is RC4 only

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pratiush29, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Android; Mobile; rv:37.0) Gecko/37.0 Firefox/37.0 Build ID: 20150413180005 Firefox for Android Steps to reproduce: https://www.allbankonline.in/jsp/startnew.jsp Actual results: An error occurred during a connection to www.allbankonline.in. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) Expected results: The site should have opened like it used to previously
https://www.ssllabs.com/ssltest/analyze.html?d=www.allbankonline.in&s=14.141.78.119&latest The site in question has incredibly broken and insecure security. Top issues noticed on a security scan: This server supports SSL 2, which is obsolete and insecure. Grade set to F. This server supports anonymous (insecure) suites (see below for details). Grade set to F. This server supports insecure Diffie-Hellman (DH) key exchange parameters. Grade set to F. This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F. This server uses SSL 3, which is obsolete and insecure. Grade capped to B. Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. This site is intolerant to newer protocol versions, which might cause connection failures. The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. This server accepts the RC4 cipher, which is weak. Grade capped to B. There is no support for secure renegotiation. The server does not support Forward Secrecy with the reference browsers. As you can see in the full scan results, quite a few browsers fail to connect to this server, for various reasons. This particular connection breakage is because this server not only supports a maximum of TLS 1.0 (from 1999), but the software they're running to do it is broken and does not properly negotiate versions with newer clients. (it is TLS 1.1/1.2 version intolerant) Previously, Firefox and other browsers hacked around this, however doing so was very insecure and is being phased out by everyone. (Firefox is doing so more quickly than some others) Bottom line: The security of this site is horrific and they need to fix it. It's no longer tolerable by modern browsers. They need to at least fix their 16 year old software, or preferably upgrade it to something modern. You'll need to contact their customer support to get them to fix their site. This is not a Firefox bug.
Blocks: TLS-Intolerance
Status: UNCONFIRMED → NEW
Component: Untriaged → Desktop
Ever confirmed: true
OS: Android → All
Product: Firefox → Tech Evangelism
Hardware: Other → All
Summary: Problem accessing secure sites like banking → allbankonline.in is TLS 1.1/1.2 version intolerant
Version: 37 Branch → unspecified
According to https://www.ssllabs.com/ssltest/analyze.html?d=allbankonline.in, a significant amount of issues with the site listed in comment 1 have been addressed. However, it looks like site has now become RC4 only.
Blocks: RC4-Dependence
No longer blocks: TLS-Intolerance
URL: https://www.allbankonline.in/
Summary: allbankonline.in is TLS 1.1/1.2 version intolerant → allbankonline.in is RC4 only
Fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.