The Bankwatch

Tracking the consumer evolution of financial services

More on security, encryption and public key certificates

I stand corrected.  My post on the Google upgrade to their browser security was incomplete and the title was wrong.  I appreciate the clearly written comment from @powdernine who clearly answered a question I had and that answer frames the difference between the # bits in the public key certificate and the # bits use in the encryption. 

Bottom line is that Google now uses 128 bit encryption for gmail for example, and that is similar to most online banking with only a few going to 256 bit encryption.

Here is @powdernine comment.

EDIT: This post is corrected – please review comments:- Your email is now orders of magnitude more secure than your online banking–is that right?

I’m sorry but this post is incorrect. You are confusing the public key length of the certificate with the key length used by the cipher suite. All of the sites you mention have 2048 bit public keys on their certificates and use either 128 or 256 bit encryption. Google is replacing older 1024 bit certificates with 2048 ones, They were behind the times in that respect, but they still use 128 or 256 bit encryption like everyone else. Just go to the sites, click the little lock in the address bar and look at what it tells you. The one thing many financials don’t do is use Forward Secrecy, which the google post mentions. Forward Secrecy has only just started to gain popularity after the NSA information came out so not all financials have implemented yet.

I did a bit more research and self-education.  RBC use an RSA public key with 2048 bits and encrypt at 128 bit.  So we are clear on that now.  Email is not more secure at least in terms of encryption.  They are equal there.

imageimage

 

However @powdernine notes the other point in the Google post regarding ‘forward secrecy’ which banks have not yet enabled.  In fact by co-incidence even Twitter today enabled forward secrecy.  Essentially this means that as Twiter explains:

If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic.

Encryption and security is a fascinating area, and I am glad I have learned a bit more today.

Written by Colin Henderson

November 22, 2013 at 21:08

Posted in Uncategorized

%d bloggers like this: