The Bankwatch

Tracking the consumer evolution of financial services

EDIT: This post is corrected – please review comments:- Your email is now orders of magnitude more secure than your online banking–is that right?

This is not new because Google was already using 1024 bit security but with this upgrade to 2048 bit, it is time for banks to at least re-visit their security level and offer exper commentary.  Most banks are using 128 bit (RBC for example) with some banks having already gone to 256 bit (Peoples Trust, Standard Chartered, Members Advantage Credit Union)

The reason Google are doing this is based on concern that the American Government through the NSA are able to decrypt what we have assumed is secure data transmission.

When internet started email and browsing activity was unencrypted and online banking was secure.  Now the situation is reversed.  Surely we should be looking at financial services access with at least as much rigour as email?

Out with the old: Stronger certificates with Google Internet Authority G2 | Google Security blog

We take the security and privacy of our users very seriously and, as we noted in May, Google has been working to upgrade all its SSL certificates to 2048-bit RSA or better by the end of 2013. Coming in ahead of schedule, we have completed this process, which will allow the industry to start removing trust from weaker, 1024-bit keys next year.

Written by Colin Henderson

November 19, 2013 at 12:23

Posted in Uncategorized

4 Responses

Subscribe to comments with RSS.

  1. I’m sorry but this post is incorrect. You are confusing the public key length of the certificate with the key length used by the cipher suite. All of the sites you mention have 2048 bit public keys on their certificates and use either 128 or 256 bit encryption. Google is replacing older 1024 bit certificates with 2048 ones, They were behind the times in that respect, but they still use 128 or 256 bit encryption like everyone else. Just go to the sites, click the little lock in the address bar and look at what it tells you. The one thing many financials don’t do is use Forward Secrecy, which the google post mentions. Forward Secrecy has only just started to gain popularity after the NSA information came out so not all financials have implemented yet.

    powdernine@gmail.com

    November 19, 2013 at 14:50

    • Thanks for the insight powerdernine! Always considered myself relatively technical but when it comes to encryption I’m weak. Additional thanks for sharing a method to determine the level of encryption for a given SSL session. I just clicked on my Royal Bank online session and got the details (128 bit).

      Patrick Lannigan

      November 19, 2013 at 15:18

    • Thank you for clarifying something I suspected but didn’t understand and couldn’t locate a proper answer. Your explanation is very clear and thank you for that.

      Colin Henderson

      November 22, 2013 at 01:14

  2. […] stand corrected.  My post on the Google upgrade to their browser security was incomplete and the title was wrong.  I […]


Comments are closed.

%d bloggers like this: