Reply to post: Not the best of articles.

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

Steve 53

Not the best of articles.

Firstly, HSTS is not "a cryptographic technology", it's HTTP Header signalling used to tell the browser to only connect via HTTPS next time.

Barclays domain doesn't support Forward Secrecy, which they "absolutely should". "There is no reason not to"

Well, given CPU decrypt I would agree, but most banks will offload these to crypto cards (Generally on an ADC, perhaps with a FIPS card / NetHSM which makes PFS much less of a requirement in that the key is very well protected), and a good number of those don't support PFS ciphers. Not to mention depending on architecture lack of PFS may be very helpful for IDS type devices.

"The most crucial thing the bank has missing is a HSTS policy which, for a secure website using HTTPS, is an absolute requirement."

Well, it's clearly not an absolute requirement, as the site works without it. Good practice, sure.

Not saying that the banks shouldn't up their game, but there may be perfectly good reasons not to support PFS

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019