[AusNOG] AU Major Banks and SHA-1

Nick Adams nick.adams at reachtel.com.au
Fri Jun 26 08:37:04 EST 2015


Add to the mix a recent change to PCI DSS means that TLS 1.0 is also
deprecated from this time next year:

http://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

*Any* version of SSL should be gone by now and the minimum should be TLS
1.1. Removing TLS 1.0 will of course mean cutting off users on IE6, IE7
on Vista, IE8 on XP, most early Android handsets and a few other clients.

It's a very difficult balancing act for the banks.


Nick.

On 26/06/2015 8:14 AM, Matthew Moyle-Croft wrote:
> We've all been distracted by the large scale crazy of site blocking,
> meta data retention and whatever else the Australian Government is doing.
> 
> But need to focus on some basics:
> 
> SHA-1 is on it's way out (see
> http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html).
> 
> Friend got a warning for his bank (not Australian) from Chrome about bad
> SSL configs, so I went and had a quick look at the big 4 banks in
> Australia to see what's up.
> 
> Commbank - got it right - no SHA-1 for home page or Internet Banking, no
> TLS 1.0
> ANZ - no SSL on home page, TLS 1.0 and SHA-1 for internet banking (oh boy!)
> NAB -  no SSL on home page, TLS 1.2 and SHA-1 for internet banking
> Westpac - no SSL on home page, TLS 1.2 and SHA-1 for internet banking
> 
> Anyone here who can influence good internet crypto for the 3 that aren't
> quite there?  
> 
> MMC
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 


More information about the AusNOG mailing list