Why can't I connect to this desjardins.com site?

[mikele2015]

The problem seem to be with SHA1 and NOT with SHA2 256
If I connect with MSIE I see SHA256 but only SHA128 with Palemoon (commander addon installed)
Why ?

[Moonchild]

The same site?
SHA128 doesn't exist. Also, SHA is a hash algo, not a cipher. Your post makes absolutely no sense.

[mikele2015]

I don't know. may be. But connect to accesd.desjardins.com and check yourself more informations and security you will see rc4 128 bits

connect with MSIE you will see SHA256RSA

the explanation from computer bank guy (in french need to translate)


-------------------------------------


Pour faire suite à la réception de votre courriel, nous supposons, selon le
contenu de votre message, que ceci est en lien avec SHA1 (un algorithme utilisé
dans SSL). Les acteurs de l'industrie se sont entendus pour mettre fin à son
utilisation en 2017. Desjardins a récemment commencé la migration de ses
systèmes à SHA2.

L'impact de cette migration est qu'il est impératif de mettre à jour vos
navigateurs Internet afin d'utiliser leur version la plus récente. Autrement,
les navigateurs pourraient émettre des messages d'erreur de certificat ou vous
empêcher de vous connecter.

Notez que Firefox, Chrome, Safari et Internet Explorer supportent désormais la
nouvelle version de SHA.

Par ailleurs, il est possible que certains navigateurs, même à jour, fassent
toujours allusion à une encryption RC4_128 avec SHA1. Toutefois, si vous
consultez l'onglet « Détails » des informations relatives au certificat, vous
devriez voir SHA256 qui vous confirmera que la communication est en SHA2.

[Moonchild]

Split off because it's completely unrelated for a different site.

"SHA256RSA" is a certificate signing algorithm and has nothing to do with the ciphers.

I checked the site in ssllabs and the only thing they support is:

Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128

This is the cipher it will negotiate with ANY browser.
They do not offer SHA256 ciphers (which one would expect from a TLS1.2 capable server that they use, e.g. supporting the AES128-SHA256 GCM ciphers)

This has nothing to do with the SHA algo of the certificate. So even though they updated their certificate when renewing it to use SHA2, as is recommended but which may not be supported by particularly old browsers or operating systems, their actual encryption is restricted to a single, weak, soon-prohibited RC4 cipher.

Please see: https://www.ssllabs.com/ssltest/analyze ... ardins.com

[mikele2015]

You saw the bank guy answer... What can I do ?

[Moonchild]

You can ask to talk to the manager. The bank guy obviously doesn't seem to have the required technical background to understand the problem is with the cipher and not with the certificate.
Feel free to forward them to this thread as well as the ssllabs report. Feel free to quote my analysis in my previous post to them (translated or not).

[bonesz]

Translated.

In response to receiving your email, we assume, as
content of your message, this is in line with SHA1 (an algorithm used
in SSL). The industry players have agreed to end its
use in 2017. Desjardins recently began migrating its
SHA2 systems.

The impact of this migration is that it is imperative to update your
Internet browsers to use their most recent version. Otherwise,
browsers could issue certificate error messages, or you
help login.

Note that Firefox, Chrome, Safari and Internet Explorer now support
new version of SHA.

Furthermore, it is possible that some browsers, even to date, do
always referring to a RC4_128 encryption with SHA1. However, if you
see the tab "Details" information about the certificate, you
should see SHA256 confirming that communication is SHA2.

[Moonchild]

Thanks bonesz, but as already stated, the message from the bank is N/A for this problem. Pale Moon has no problem using SHA2 certificates.

Pale Moon using: https://www.ssllabs.com/ssltest/viewMyClient.html
Signature algorithms SHA256/RSA, SHA384/RSA, SHA1/RSA, SHA256/ECDSA, SHA384/ECDSA, SHA1/ECDSA, SHA256/DSA, SHA1/DSA

And yes it even supports SHA384.

[mikele2015]

Thanks. I did what you say and I'm waiting for the bank answer...

I saw this morning PAYPAL have same RC4 crap if I leave RC4 SHA selected on Palemoon commander... (but still can't connect to my bank)

[Moonchild]

Paypal should use much stronger encryption when available. They may still include it for compatibility, but I'm pretty sure they will use AES when offered.

[mikele2015]

Yes Paypal use AES256 but you see if I leave palemoon commander Sha RC4 selected, Paypal use by default RC4 cipher.. this is not normal...

[Moonchild]

Let paypal know! They obviously have a totally wrong preferred cipher order on their servers.

[mikele2015]

Let paypal know! They obviously have a totally wrong preferred cipher order on their servers.

Paypal know since last week now, but do N O T H I N G ...


And the bank moron guy answer...(translated) :
This follows emails related RC4. A draft
major telecommunication is currently underway, which requires
several changes across multiple servers. Desjardins is currently
test mode to ensure the proper functioning of these changes and to ensure that
different browsers will respond well, allowing access to
our secure pages. These changes should be completed in the coming weeks.
Thank you for your vigilance.
Please accept our best regards


=

[Nova25]

Using : Palemoon 25.3.1 (x86)

For some strange reason, I get this message (below) when I try using their AccèsD services with *Palemoon*, but not with Firefox.
Considering this is a matter regarding a 'financial website'... this is seriously problematic for Palemoon, I must say.

Translation to English :
« Failed Secure Connection

An error has occurred during a accesd.desjardins.com connection. Unable to communicate securely with peer: no common encryption algorithm. (Error code: ssl_error_no_cypher_overlap)

The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem. You can also use the command in the help menu to report this broken site. »

[trava90]

Please read the FAQ, specifically point 2.

[Moonchild]

Looks like the site owners got around to fixing their security.