(edited by Tiavor.4016)
SSL security on the website
SHA-1 is actually planned on being phased out by Microsoft, Google Chrome, and Mozilla before the end of 2017. Certainly a strange choice to continue using it in a new login/auth system with its end of life coming up relatively soon.
SHA-1 is definitely a lot weaker than its newer counterparts, but a huge portion of the internet is still using it despite having known weaknesses for a decade. There is little reason to continue using it, because better alternatives are widely supported.
The deprecation policies from MS, Google, and Mozilla should help to push that along. Especially with Chrome beginning to put warnings on sites that continue using weak, obsolete encryption methods.
Seer Of The Divine | Sarina Starlight | Tireasa | Caedyra
(edited by mrstealth.6701)
I noticed this the other day and I considered making a thread about it, but I’m glad to see that you already have. I, too, am concerned about this.
| [Free Ports For All “Not So Secret” JP Needs (and 1st Try Dive Tips)] |
| [Classic Thread: “all is vain”] |
Yeah, I also noticed that the ciphersuite I’m seeing is AES128-CBC, even with new versions of Firefox and Chrome; AES128-GCM would be preferable. Also, yes, as the OP mentioned, ECDHE key-exchange.
Ideally I’d like to see ECDHE-RSA-AES256-GCM-SHA384 or ECDHE-ECDSA-AES256-GCM-SHA384.
Baghaar Ironfang – Charr guardian | Maja Sigurdsdottir – Norn ranger
Tarnished Coast