I was trying to login to my bank today, having done some small tweaks to Firefox. It turns out that the logon page is using tls_ecdhe_rsa_with_aes_128_gcm_sha256 (receives an A from ssllabs.com), but the page I am then redirected to uses tls_rsa_with_3des_ede_cbc_sha (receives C from ssllabs.com).
The setting in Firefox that caused the issue was security.ssl3.rsa_des_ede3_sha - setting it to False causes "Secure Connection Failed"
"The connection to banking3.anz.com was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."
Obviously this is a deprecated 112 bit cipher, and in theory shouldn't be used, but I was wondering, what is the real danger. Are there any known attacks for this cipher, and if so, are they really a risk in terms of banking? As the error implies the problem is my authentication of the remote server, after I have logged on using an acceptable page, is it reasonable to trust this process? I would imagine the real risk is in compromise of the initial redirection, which could only happen server-side (in which case, my cipher selection is not the relevant factor in compromise!) based on it being done through TLS.
Edited by The_Rubb, 26 January 2017 - 08:47 PM.