Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

General Security General Security
Search Search
Search for:
Tech Support Guy > > >

Solved: Low Encryption Level.


(!)

needafix's Avatar
needafix needafix is offline
Senior Member with 983 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Advanced
08-Mar-2008, 09:47 PM #1
Solved: Low Encryption Level.
This site is using an outdated encryption method which is no longer classified as secure. It cannot sufficiently protect sensitive data. Do you wish to continue?

-the server is using a short public encryption key, which is not considered to be secure.

***************************************************************

I got the above notice (this section of the site is a Java application) when I tried to log onto my account elsewhere on the net in order to make my monthly payment by bank/credit/debit card. I have never seen this warning before and I always have been on the correct site instead of a spoof.

The scary part, the info that is to be encrypted is the 16 digit card number, the name listed on the card, the expiration date and the last 3 digits of the **** *** digits on the back of the card.

I should not continue? I didn't.
Byteman's Avatar
Byteman   (Bill) Byteman is online now Byteman is authorized to help remove malware. Byteman has a Profile Picture
Moderator & Malware Removal Specialist with 17,457 posts.
 
Join Date: Jan 2002
Location: NY
09-Mar-2008, 12:56 AM #2
Hi,

I think I would pay by mail and include a note about what you saw come up....

Perhaps a legitimate security warning, they do happen but I have not seen one like that....certificates expiring, yes, and mixed content, yes...

Make an exact word for word copy if you can and send it, call customer service and give them the info, perhaps it has been reported and they can reassure you.... or, you will be helping them resolve some issues on the server.
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
ferrija1's Avatar
Computer Specs
Member with 7,983 posts.
 
Join Date: Apr 2006
Location: Pittsburgh, PA
Experience: Mac Addict
09-Mar-2008, 12:14 PM #3
Go to the page where you enter that information, does your address bar turn yellow with a lock? If it does, click on it and see what grade of encryption it has. For example if you go to Tech Guy's donate page and click on the lock, you will see that it has 256-bit "High Grade" encryption.
https://billing.radiotower.net/payment/techguy/

In any case, I would contact the site owner or website programmer.
needafix's Avatar
needafix needafix is offline
Senior Member with 983 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Advanced
09-Mar-2008, 02:38 PM #4
More info.

For this site and it's game application I stopped using Firefox because FF and Java together have issues.

I switched to Opera for the website in question. It is after I switched that these notices stated coming up and am just now paying for the first time with Opera as the browser when all the other times I paid was with FF browser.

When I go to log in to the site I get this notice (attachment):

I know the site (plus double checked possible spoof/BHO/redir's) and as I loathe trusting anything under the sun, I "trust" the site. So I go ahead an click allow.

I select the service I wish to pay for. Then select the method I wish to pay with, then I click "submit" (sensitive info is entered on the next page) then does the second notice come up which is the one I mentioned in my first post.

I select not to continue and only then does the Opera browser give the default error page and in the title bar is the https and the yellow bar with the lock.

So in my mind, the warning of lack of security overrides the peace of mind I am supposed to get from the https and the yellowbar with the lock, since I'm being told that the next page coming up is not secure

As of yet I haven't heard from the site in question about it.

.
Attached Thumbnails
Solved: Low Encryption Level.-javsecurity.png  

Last edited by needafix; 09-Mar-2008 at 02:49 PM..
needafix's Avatar
needafix needafix is offline
Senior Member with 983 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Advanced
09-Mar-2008, 03:14 PM #5
Quote:
Originally Posted by ferrija1 View Post
Go to the page where you enter that information, does your address bar turn yellow with a lock? If it does, click on it and see what grade of encryption it has. For example if you go to Tech Guy's donate page and click on the lock, you will see that it has 256-bit "High Grade" encryption.
https://billing.radiotower.net/payment/techguy/

In any case, I would contact the site owner or website programmer.
I have never clicked on the lock. I have a screenshot of it from yesterday but the https or the lock and yellow bar are no longer showing up in order for me to click on it to get any information.

Last time I saw it was to click no on the last warning. It was in the Opera defailt error page (with the presumeably secure address in the address bar) but now when I click no Opera does not go to the default error page, it just stays where it is.
Attached Thumbnails
Solved: Low Encryption Level.-error.png  
TOGG's Avatar
Member with 5,664 posts.
 
Join Date: Apr 2002
Location: Birmingham, England
09-Mar-2008, 05:41 PM #6
Have you used Opera's fraud protection check on the site you are referring to? If you click on the '?' at the top right of the address bar, you should see a box with two tabs, 'Security' and 'Fraud Protection'. Security will tell you if the connection to the site is secure (obviously) while Fraud Protection checks a blacklist to see if anything bad is known about the site.

Assuming that is OK, you can doublecheck the settiings currently in use by Opera (I assume you are using the latest version, 9.26). Click on Tools/Preferences/Advanced and then on 'Security' in the list on the left. That will open a box with 'Security Protocols' at the bottom, click on that and ensure that only SSL 3, TLS 1 and TLS 1.1 are checked. SSL 2 definitely should NOT be checked. Then click on 'Details' and ensure that no cipher lower than 128 bit is checked in the list that appears.

These are all default settings and so should be OK, but you might as well check them out.
needafix's Avatar
needafix needafix is offline
Senior Member with 983 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Advanced
09-Mar-2008, 06:09 PM #7
Quote:
Originally Posted by TOGG View Post
Have you used Opera's fraud protection check on the site you are referring to? If you click on the '?' at the top right of the address bar, you should see a box with two tabs, 'Security' and 'Fraud Protection'. Security will tell you if the connection to the site is secure (obviously) while Fraud Protection checks a blacklist to see if anything bad is known about the site.

Assuming that is OK, you can doublecheck the settiings currently in use by Opera (I assume you are using the latest version, 9.26). Click on Tools/Preferences/Advanced and then on 'Security' in the list on the left. That will open a box with 'Security Protocols' at the bottom, click on that and ensure that only SSL 3, TLS 1 and TLS 1.1 are checked. SSL 2 definitely should NOT be checked. Then click on 'Details' and ensure that no cipher lower than 128 bit is checked in the list that appears.

These are all default settings and so should be OK, but you might as well check them out.
Yes, Opera 9.26. I did not have Fraud Protection turned on. I had not noticed it before. I just turned it on and will try again.

The protocols enabled are TLS 1.1, TLS 1 and SSL 3. SSl 2 is not selected.

But, under "Details" SSL 2 items # 4, 5 and 6 from the top are checkmarked.
TOGG's Avatar
Member with 5,664 posts.
 
Join Date: Apr 2002
Location: Birmingham, England
09-Mar-2008, 06:19 PM #8
Just found this in Opera Help files;

"Warning that a site is using an outdated encryption method

If the encryption method used by a site is outdated, the warning "The site is using an outdated encryption method" will appear. A site matching one or more of the following criteria will trigger the dialog:
The protocol SSL v2 is used
Encryption methods with 40 or 56 bit keys are used
Key exchanges are performed using RSA or Diffie-Hellman (DH) keys less than 900 bits long
What should I do when I get this dialog?
Inform the Web site operator of the problem, and recommend that the servers be upgraded. Stress the point that users are getting security warnings when visiting their site.
Although the actual threat level is probably very low, consider waiting for a server upgrade before submitting any sensitive data. If possible, use a corresponding service with a more updated server.
Why is SSL v2 not secure enough?

SSL v2 is a ten year old protocol with at least one major flaw in the protocol itself. It was replaced by SSL v3 in 1996, which makes any server that only supports SSL v2 at least nine years old. That age alone should raise questions about the security of the server in general.

SSL v3 was then replaced by TLS 1.0 in late 1998, and TLS 1.0 is about to be replaced by TLS 1.1, which is supported by Opera 8.0, but disabled in the default setup due to interoperability issues.

The only reason Opera supports SSL v2 is that there are still some important sites that use it. However, all major servers support at least TLS 1.0 today. Any site that uses SSL v2 should have its servers upgraded immediately."

This information is itself a little out of date because TLS 1.1 is now, apparently, enabled in Opera. It seems that you got the warning because that site's security is not compleyely up to date and it is your choice whether you want to continue dealing with it. As it says "Although the actual threat level is probably very low, consider waiting for a server upgrade before submitting any sensitive data"
TOGG's Avatar
Member with 5,664 posts.
 
Join Date: Apr 2002
Location: Birmingham, England
09-Mar-2008, 06:32 PM #9
Ooops! I pressed the submit button before I registered that you had responded.

I noticed those SSL 2 ciphers still enabled and have now unchecked them. If you go to 'Help' and search 'outdated encryption' you will see the full text that I just posted the extract from. That explains that they have reluctantly left some SSL 2 things in use because so many sites are still using it.

The really odd thing about this is that Firefox should only accept SSL 3 or TLS 1 encryption but it was, apparently, working with the site Opera says isn't safe. It may be that it is the key length that is the problem, at least as far as Opera is concerned. Lots of interesting stuff about keys in the knowledgebase article I quoted from but I won't bother you with it now.

PS. re-reading your first post, the error message you quoted clearly states that it is the 'short public encryption key' that is the problem, not the SSL/TLS version. So much for my masterly research!

Last edited by TOGG; 09-Mar-2008 at 07:16 PM..
needafix's Avatar
needafix needafix is offline
Senior Member with 983 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Advanced
09-Mar-2008, 07:19 PM #10
Quote:
Originally Posted by TOGG View Post
Ooops! I pressed the submit button before I registered that you had responded.

I noticed those SSL 2 ciphers still enabled and have now unchecked them. If you go to 'Help' and search 'outdated encryption' you will see the full text that I just posted the extract from. That explains that they have reluctantly left some SSL 2 things in use because so many sites are still using it.

The really odd thing about this is that Firefox should only accept SSL 3 or TLS 1 encryption but it was, apparently, working with the site Opera says isn't safe. It may be that it is the key length that is the problem, at least as far as Opera is concerned. Lots of interesting stuff about keys in the knowledgebase article I quoted from but I won't bother you with it now.
Nope, none of this security stuff ever came up using FF. I quit it because of game play crashes.

With Fraud Protection turned on, the first pic in the following attachment is what I got at the basic log in level (Java app) with name and password. Tab 1 says it's not secure but Tab 2 says it isn't a fraudulent site.

Tab 2 really doesn't apply because this site is far to well known like Yahoo or Google compared to a maliciousdotcom that would be on any blacklist.

Further on in the process I get the third notice when I click on the link to move on to the page where I enter all the sensitive information. That is the I get the third image in the following attachment.

This point is for the sensitive info process, then the warnings revert back to my first attachment of low-encryption-level-javsecurity.png.

So at least we determined the site isn't a fraud and is transmitting my username and password in readable text and that these notices are flippflopping back and forth between secure and insecure.
Attached Thumbnails
Solved: Low Encryption Level.-login.png  
TOGG's Avatar
Member with 5,664 posts.
 
Join Date: Apr 2002
Location: Birmingham, England
09-Mar-2008, 07:33 PM #11
Well I'm not sure where that leaves us, except that any risk is still probably minimal. Curious about the reference to the short public encryption key though?;

"Why are RSA/Diffie-Hellman keys shorter than 900 bits not secure enough?

RSA/DH keys are used to protect the encryption keys for all transactions with the server. If these keys are broken,
. all communication that has been exchanged with the server from the time the key was created will be fully available
. an attacker will be able to modify the information exchanged between you and the server, and there is no way to detect such changes in the protocol

These keys are parts of the very foundation of the SSL and TLS protocols. Using a weak key weakens the entire system."

"What is a strong key?

RSA Security recommends a minimum of 1024 bits, but only if your information is worthless by the year 2010, and 2048 bits if you want to keep it safe until year 2030, based on their extrapolation of current trends in computing power and methods.

Any site using weak RSA/DH keys (<1024 bits) should replace their key as soon as possible with at least one 2048 bit key, and get new certificates from their Certificate Authority for that key."
needafix's Avatar
needafix needafix is offline
Senior Member with 983 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Advanced
09-Mar-2008, 10:04 PM #12
As far as I can tell from reading about it all that sensitive info in question is encrypted with a public key. Anyone accessing or intercepting the flow of data can decrypt it with that public key.

The better version of short public encryption key is the version that has two keys but I don't have to my knowledge a private key for this application unless that site hid it in my Java app or on my computer somewhere.

So I guess it is up to the individual whether or not they wish to do such transactions with an SSL 2 server.

Though I would have appreciated the gesture had FF notified the user of this like Opera does.

Geesh, with all the government spying going on with the mass recording of traffic instead of honing in on a specific target and more than 50% the internet flowing through the phone company computer just imagine what they have been able to know by using nothing more than a short public encryption key. Blows the mind. It also makes me suspicious of the other matter of identity theft skyrocketing since that program started a few years ago. One has to wonder.

Since people keep bank accounts and the same credit cards for decades I also wonder about those old hard drives containing that so easily decrypted data encrypted by now deprecated methods. Those comps would be a prime target for acquisition at auctions and recycling places, storage theft.

Over the past 6 or 7 months I have been using FF for this connection/transaction so I might go ahead and use another method of payment. Less paranoia, LOL.

Thanks for your time and the info, marked as solved.
TOGG's Avatar
Member with 5,664 posts.
 
Join Date: Apr 2002
Location: Birmingham, England
10-Mar-2008, 11:13 AM #13
I don't often buy online and, when I do, it's usually from Amazon or someone similar. Now that you have raised this fascinating topic, I shall certainly use the protection mechanism before I enter any more credit card details!

As for encryption keys stored on your computer, further delving in the Opera Help files suggests that they are randomly generated each time they are required and, presumably, 'expire' once used.

Now, when it comes to Hard disk encryption keys, particularly for laptops, it seems they can linger in DRAM memory (and be recovered) even after power has been turned off. But that's enough paranoia for now!
needafix's Avatar
needafix needafix is offline
Senior Member with 983 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Advanced
10-Mar-2008, 12:43 PM #14
Quote:
Originally Posted by TOGG View Post
I don't often buy online and, when I do, it's usually from Amazon or someone similar. Now that you have raised this fascinating topic, I shall certainly use the protection mechanism before I enter any more credit card details!

As for encryption keys stored on your computer, further delving in the Opera Help files suggests that they are randomly generated each time they are required and, presumably, 'expire' once used.

Now, when it comes to Hard disk encryption keys, particularly for laptops, it seems they can linger in DRAM memory (and be recovered) even after power has been turned off. But that's enough paranoia for now!
I detest buying online but I have because I could not find what I wanted locally. Through the whole process there was an angel on one shoulder and a demon on the other going at it like cats and dogs, LOL! I don't even check any of my bank stuff online. Plus if you take careful notice shipping and handling can easily be 2, 3 or 4 times or more that actual retail price of what you want plus tax.

As far as the Opera Fraud Protection mechanism goes, I had never adjusted that function or was aware of it so apparently it is not enabled by default so I think it should be.

About those Hard disk encryption keys, I use a program called RAM Idle LE 1.5.0 It frees up a LOT of RAM with no ill effects so far. If that key is not immediately tied to any active process it might blow it out of there. Or, the key might be used to encrypt the disk right before the computer is shut down and is still in memory.

So are you referring to opening the stolen laptop and hot wiring the RAM to get the information or the thief getting the info after the computer was rebooted?
TOGG's Avatar
Member with 5,664 posts.
 
Join Date: Apr 2002
Location: Birmingham, England
10-Mar-2008, 12:52 PM #15
It's just something I came across at Wilders Security Forum, I didn't read the full details but it looks like one of those things that is possible, but not too likely; http://www.freedom-to-tinker.com/?p=1257
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2