Outdated encryption method - energyhelpline cashback - DANGER WILL ROBINSON !!

upallnight

I am currently in the process of changing supplier and went for the above comparison service as Martin says it's the winner. However when I went to sign up , my browser - Opera - came up with the following message :


This site is using an outdated encryption method currently classified as insecure. It cannot sufficiently protect sensitive data. Do you wish to continue?

Certificate name

https://www.energyhelpline.com
Fundraising Innovations Ltd
e-commerce, Terms of use at https://www.verisign.com/rpa (c)00
London
London, GB

Issuer

RSA Data Security, Inc.
Secure Server Certification Authority
US

Details

https://www.energyhelpline.com/energy/rg_signup_address.aspx?sid=3954324&tid1=107911&tid2=107894&ges=434.8529&ees=406.4368&pc=CF47%200ET&CID=45&regid=12&goto=appl&aid=107&uif=1342353
Connection : TLS v1.0 128 bit ARC4 (RSA/MD5)

Certificate version: 3
Serial number: 0x381F66A8BA5ABA8ABAD7CD97EF482492
Not valid before: Mar 8 00:00:00 2006 GMT
Not valid after: Mar 8 23:59:59 2007 GMT
Fingerprint : (MD5) BA E7 3D 89 0B 69 0C 35 95 52 8E 41 6B 58 3C 4C
Fingerprint : (SHA-1) 7D A0 89 6B 78 0E 47 71 69 5D 6A 80 84 FA C3 71 BE 50 7F B5

Public key algorithm : rsaEncryption
Public-Key (512 bit):
Modulus:
00: 77 1A 5E 7B DE 00 7F 78 3E 79 68 F6 37 EF AA CF
10: 46 D0 B5 08 6B 18 FF C0 B3 AF A2 D9 81 8C 53 6F
20: 8A 3B 6B 67 B4 BF E6 BC A5 22 E9 28 54 4B FA 2A
30: 8E EF C0 8D D3 00 F1 55 FB B5 4D ED 5B 97 EE CC

Exponent:
01 00 01

Signature algorithm : sha1WithRSAEncryption

00: 4C 27 50 3A B1 FB 0A 95 11 8F 6D 73 F5 3B 84 50
10: 44 AA DA 00 4E CA B1 F2 3B C3 C5 3C 05 8C A9 A2
20: 8B 59 52 A8 F4 AD BD 39 A7 BC C0 27 09 21 78 D9
30: 2D F2 70 0C C6 03 0D 4F 0F 24 B4 BB 1B FE C9 58
40: 8D FE D1 48 24 3A 36 26 AF 05 86 B0 91 7B 3C 0D
50: 33 FE 43 F8 28 E9 6A 48 7A 11 BA 33 FB 64 FB DF
60: C9 0A 68 B6 38 31 BF E6 E7 DC 05 31 BA D5 07 CB
70: 1E 2D D4 49 F0 90 F1 1D 5F 17 EE 68 E2

Extensions:

X509v3 Basic Constraints: CA:FALSE
X509v3 Key Usage: Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://crl.verisign.com/RSASecureServer.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
Unknown extension object ID 1 3 6 1 5 5 7 1 12: 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,!!..0%.#http://logo.verisign.com/vslogo.gif

So I didn't continue and went for the £12 with UK Power cashback instead - they both suggested the same supplier anyway. The above weak certificate is valid until next March ! Don't forget your personal details are going in there. I would be interested to know if any Internet Exploder users get a similar message ?

upallnight

As there has been no interest from MSE members on this topic I have emailed energyhelpline themselves to ask for their observations. Also Martin has it in his inbox as I write.
I'll ask again - has anyone else had warning messages on their browser ? You don't have to sign up - the warning message should appear when you hit " APPLY ".

joshm_2

upallnight wrote:

Not valid before: Mar 8 00:00:00 2006 GMT
Not valid after: Mar 8 23:59:59 2007 GMT

Have you checked to see if your own PC's clock is correct? I used EnergyHelpline to switch yesterday and had no problems.

upallnight

joshm wrote:

Have you checked to see if your own PC's clock is correct? I used EnergyHelpline to switch yesterday and had no problems.

I fail to see what that would have to do with it. The times and dates shown are for the site certificate and are the limits for it's validity. What browser are you using ? My clock is correct however.

Cardew

upallnight wrote:

As there has been no interest from MSE members on this topic I have emailed energyhelpline themselves to ask for their observations. Also Martin has it in his inbox as I write.
I'll ask again - has anyone else had warning messages on their browser ? You don't have to sign up - the warning message should appear when you hit " APPLY ".

I venture to suggest that rather than no interest the majority of MSE members simply do not understand your post. For the 'technically challenged' including all of the data with strings of numbers hardly helped.

For what it is worth I have had no problems using Internet Explorer - although MSE readers might not even understand " Internet Exploder"

JohalaReewi

Switched via energyhelpline (via quidco) using Firefox. No security messages or problems. Try copying the error message into google!!

The Opera website says the following...

http://www.opera.com/support/search/supsearch.dml?index=798

upallnight

I accept the bit about the technically challenged but put the whole certificate in for the site experts to see. The first bit is important - " Currently classified as insecure ". The post on the Opera site is worth reading as it explains it quite well. Interesting to see that two other browsers do not pick up on this important issue , I prefer to know and take my business elsewhere. There is no excuse for poor security for personal data.

joshm_2

upallnight wrote:

I fail to see what that would have to do with it.

If that was meant as a question and not some high-handed dismissal, I can add the following: Having spent some of my time on this earth as a Java web application developer I have had experiences where certificate validity has been ok but when the certificate date is checked against the local machine's clock it shows as invalid. Strange but true, unless I was mistaken.

Your clock is ok though so I guess it's something different. Have a nice weekend!

upallnight

Not a high handed dismissal but a genuine question. If you read the warning notice it does not say the certificate is invalid but it says that the site has very weak encryption. So as you can see I did not know what you were getting at. Meanwhile Martin has emailed energyline about the issue.
Happy weekend everyone.

upallnight

Energyline have replied to me :

"Our IT team have investigated the issue and have found the following:
Our website uses an industry standard 512k bit encryption certificate
(from verisign), which ensures all customer data is encrypted to the
appropriate strength.
With the Opera browser, the message you have seen shows up whenever it
comes across a website using less than 1025k bit encryption.
Although most websites use 512k encryption, we will be moving to a 1024k
encryption soon.
Having said this, I can assure you that the encryption we current use
does protect customer data and the website is safe to use. We have
conducted 100's of thousands of sales through our website and have not
experience a security breach on customer data. "

As may be , but the 512k standard is no longer good enough - most websites I visit have security at 1024k for such personal data.When they do upgrade I might be tempted to use their service.

Capyboppy

---

BEGIN PGP SIGNED MESSAGE

---

Hash: RIPEMD160

As an opera user myself I can verify that the security measures that opera
tests are superior to IE and any of the other browsers. The OP was right to
query, and post the complete data. As I have only just found this thread,
there maybe others who have missed it too. Believe it or not there are
people who do understand what the poster is talking about.

Better safe than sorry.

---

BEGIN PGP SIGNATURE

---

Version: 6.5.8ckt http://www.ipgpp.com/
Comment: Leave those you have touched with a positive memory
Comment: KeyID: 0x55A0DE82

iQA/AwUBRGCk84pYuDdVoN6CEQOp5wCggoKiTy6JU9+7M+Yepr5rei5eW0gAoM7S
aIWdCeAz/XnKKDGd82u4Yawd
=jkau

---

END PGP SIGNATURE

---

P.S. Couldn't resist, but trying to make a point. There is no substitute for good security.