Any Reason why RC4 is at the top of most banks Cipher Suite lists?

[+Warwagon MVC]

So this was discussed on last weeks Security now Podcast. First they noticed that Bank of America was Offering RC4 at the type of their Cipher Suite List. Then everyone else started checking (including myself), and sure enough RC4 is right there at the top of the list. Which means it's the one that would be chosen to use.

 

Below is the transcript from that segment of the podcast.

 

Steve: So it was either last week or the week before that we were talking about cipher suites. And Leo put in Bank of America into SSL Labs' site and, in real time, on the air, we were stunned to see the ordering, the preferred ordering that Bank of America chooses, the idea being that, when a browser connects to a server, it presents the server with the list of cipher suites, the encryption algorithms, the encryption hashes, the encryption strengths, whether it's RSA or Diffie-Hellman, the key exchange technology.

Basically all of those are bundled up in a set of standards which each represents a suite of encryption technology. The browser says, here's the list that I know of. Then the server, the way SSL and TLS handshaking works, the server looks at the browser's list, and then from its own ordered list, meaning from most desirable to least, it uses its list to pick the cipher suite that'll be used. And so all logic says that the server puts the strongest ciphers at the top and works its way down to the weakest ones because the logic in the handshake, the logic at the server side is it looks at the first one it knows about and looks for it anywhere in the browser's list. Is it there? No. Okay, now the next one, and looks for that anywhere in the browser's list, is that there, and so on.

Well, it turns out that Bank of America, which was the only banking site we looked at, has the worst of all, like RC4 cipher, which has been roundly criticized and deprecated, with a short key length and bad encryption and a bad hash, I mean, it's just everything about it is wrong as its No. 1. So if a browser offers that, just for the sake of compatibility, the browser doesn't ever want that to be chosen. But it would rather that to be chosen than nothing. So the browser might have that properly at the bottom of its list, not that the browser's list is ordered. But basically it's in the list so that it's a possibility. But it doesn't want it chosen. Yet Bank of America sees that among the choices and chooses it first.

So we were just stunned. I just wanted to acknowledge that many people checked their own banks, and apparently this is universal. I got a whole bunch of tweets after that saying, you know, people were just like, oh, my lord, my bank is worse, is as bad as BofA. So they were just tweeting their despair over discovering that their own banks were in as bad a shape. And in fact, a question that I saw in the mailbag, I didn't choose it, only because we've sort of covered it, and I just have, was somebody saying, how do I explain this to my bank? I mean, you know, I'd like them to fix this. But who? How? You know?

MIKE: Walk up to the teller. Excuse me, I'd like to mention something.

Steve: We have a problem, you have a problem with your cipher suite ordering on your website. So, yeah. I mean, I don't know how. Just maybe - I don't know. Maybe there's a support email on the website, you know. Maybe, if they get enough email from people saying that, somebody - it'll, like, percolate up. I mean, there is no fathomable reason for that list to be as it is, except nobody ever curated it. I mean, in fact, it's hard to understand how the server could have even been shipped that way. But there's no reason not to put that at the bottom because, if no better cipher matches first, then it'll still be chosen. But don't pick it as your first priority. That's just nuts.

[vcfan]

rc4-sha or ecdhe-rsa-rc4-sha?

[+BudMan MVC]

this is yet again steve claiming the sky is falling.. I connect to my bank chase - and its not rc4.. So they offer the cipher - BFD..  Your browser shouldn't be picking that one anyway... But what about their customers that are still using old ###### that doesn't even support the new tls 1.2 aes stuff.

 

While I agree it should be removed and cleaned up - its not the freaking end of the world that steve likes to make it out to be.

 

[+Warwagon MVC]

this is yet again steve claiming the sky is falling.. I connect to my bank chase - and its not rc4.. So they offer the cipher - BFD..  Your browser shouldn't be picking that one anyway... But what about their customers that are still using old ###### that doesn't even support the new tls 1.2 aes stuff.

 

While I agree it should be removed and cleaned up - its not the freaking end of the world that steve likes to make it out to be.

 

chasecipher.png

 

Your browser and the server negotiate on which cyphers they can both support.  Which is why you start with the best ones at the top and work your way down. So the browser connects to the good ones first, if doesn't support it it goes to the next one. Until finally if it has to it connects to RC4. But having it at the top makes it gets chosen first.

 

In the case of your bank, the reason your browser didn't choose RC4 is because it's not on top like most banks have it

 

My Bank, Bank of America and Capital one, just to name a few put RC4 on top. Just be happy you have a smart bank.

 

The only cypher my sisters bank has in the list in Lincoln NE is TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)      112

[The_Decryptor Veteran]

RC4 is there because of some old financial regulations, but since browsers put it at the bottom of their lists (And not at all if you're using the latest releases) it won't be used.

Firefox 37+ won't even connect to a site using RC4 unless it's in a hardcoded whitelist.

[+Warwagon MVC]

RC4 is there because of some old financial regulations, but since browsers put it at the bottom of their lists (And not at all if you're using the latest releases) it won't be used.

Firefox 37+ won't even connect to a site using RC4 unless it's in a hardcoded whitelist.

 

Good point. I found it in Firefox and Chrome but where in IE does tell you which Cipher it used?  I looked at the info under the padlock. but didn't see the cipher.

[The_Decryptor Veteran]

It actually does, hides it though.

Right click on a blank part of the page and select Properties and you get this dialog. Not sure why it drops the E from ECDHE, but I suppose it is pointless since there's no non-ephemeral version of it.

Another important thing along with the deprecation of RC4, is getting rid of insecure fallback from browsers. Firefox 37+ doesn't do it unless the site is on a whitelist (Same one as RC4 actually, lumping 2 kinds of brokenness together)

[+BudMan MVC]

Your browser and the server negotiate on which cyphers they can both support. 

 

Dude I know exactly how the exchange works..

 

And while yes BOA has it on top

 

 

You notice still didn't choose it, know why it didn't choose it -- because using a current browser its not even supported   But yeah really the banks the bad guy here because its at the top..

 

 

Like I said this is yet another the sky is falling from steve to try and grab attention for himself.. Why do you listen to his stuff.. You do understand pretty much everyone in the security community sees him as a joke right?

 

If he wants to go after banks lack of security - why doesn't he bring up that they are not using dnssec for their domains either..

 

Unless your using chrome it looks like

 

 

Gawd if you want to yell at someone how about the browser maker!!  I have to use a command line blacklist command to have it not use specific ciphers?

--cipher-suite-blacklist=0x0005,0x0004

 

 

[+Warwagon MVC]

Dude I know exactly how the exchange works.

 

Your posts are exactly why I post things here. Always good to hear both sides. I'm probably still going to be listing to security now like I have been since episode 1. Great learning tool.

 

You notice still didn't choose it, know why it didn't choose it -- because using a current browser its not even supported   But yeah really the banks the bad guy here because its at the top..

 

So the Browsers are protecting us, not the banks .. except your bank.

[+BudMan MVC]

The banks should get their stuff in order, I agree but its not the end of the world steve makes it out to be is my point.. He always likes to makes things seem worse than they really are, mostly to grab attention for himself.. The term attention ###### is one of the first things that come to mind whenever I hear steve's name

 

There are few others - but this is nicest one

 

btw Its not just banks that have these issues - its really not many sites that get A from the ssl tests.. They most all have issues..

 

 

You would think they should have their ###### in order being such a major player.. And big surprise they don't have dnssec setup either.

 

edit:  neowin has rc4 enabled btw   Kind of bad when your seedbox free domain with https support has better grade then major players

 

[The_Decryptor Veteran]

Probably a mix of XP support and BEAST mitigation, XP only does RC4 or AES-CBC with SSL3/TLS 1.0, none of those options are secure (AES-CBC only being secure with TLS 1.1+), and for a while it was recommended to use RC4 to mitigate BEAST (Which has since been patched, even for XP, so maybe we can disable it)

XP does support DHE key exchange at least, but only with 3DES.

[Chrysalis]

you can use 3DES with XP/IE8, for this reason on client's server's who want XP users to have access I allow 3DES, but its right at the bottom of the cipher list, RC4 is only needed if you want IE6 support. Also by default the browser preference order is used, but servers can override if configured to do so. Another thing not considered here is if a bank is allowing RC4 to allow IE6 to work, they are also supporting a browser that has not had security maintenance for many years, so even if we ignore the cipher security issue, the browser itself isn't secure.

[Jason S. Global Moderator]

Our customer is mandating that we remove all RC4 ciphers from our lists... not even offered anymore!