Re: 128-bit security not recognized by a website

From: Steven L Umbach (sumbach@ameritech.net)
Date: 03/07/03

  • Next message: J N Katzman-TCM: "Re: 2000 does not respond to Ctrl+alt+delete.. HELP" 
    From: "Steven L Umbach" <sumbach@ameritech.net>
Date: Fri, 07 Mar 2003 17:53:29 GMT

     Hi Raye. I agree with you. Something strange is going on there. I use high encryption at dozens of sites with no problem. The usual issue that I am aware of there being a problem with encryption is when using ipsec/l2tp through nat because of AH, but secure websites use ssl. My understanding of the ssl handshake is that when using https over port 443 a client sends a connect message to the https server with details of ssl/tls versions and encryption key strenghth that it can use for the session. If the encryption key strenght is not sufficient for the https server then it sends a message back to the client saying such and refuses the session. If everything is a go then the https server sends it's certificate to the client to initiate the secure session. You might want to email them and ask them what the heck is going on - maybe they have been hijacked?? . The "in the event the computer is behind a router or firewall" statement is ludicrous - all internet computers are behind a router or else they would not be able to access the internet. --- Steve
      "Raye Schwartz" <raye.schwartz@worldnet.att.net> wrote in message news:TXT9a.4045$Oz1.318789@bgtnsc05-news.ops.worldnet.att.net...
      Hello,
       
      This is most puzzling. I am running Win2K, SP3, and IE6, SP1, all with the lastest security patches. IE6 is 128-bit cipher strength...says so in the help, about window. However, when I try to access a site run by my prescription drug plan, at login, I get the following message:
       
          "Your Web browser does not use 128-bit encryption. While a 128-bit Web browser is not required to enter our site, we recommend its use in keeping your information as secure as possible." ............
      ..................When members log on to our web site, a scan for encryption is conducted. If the scan results identify that 128-bit encryption is not being used, then a warning message is returned to the user. In the event that the user's computer is behind a router or a firewall, the scan will not be able to identify encryption even if it is present. As a result a warning message is sent to the user. Based on the information that you have provided, it is quite possible that this is the situation that you experienced.
       
      I can't believe that 128-bit encryption doesn't work on networks, or behind firewalls and routers. My computer is on a wireless network, and the only "firewall" is the router which uses NAT...there is no stateful inspection, and no ports have been designated open or closed.
       
      As a matter of fact, it worked with IE 5.x with 128-bit encryption, it works on most other websites I visit now using IE 6, including a secure area of my brokerage account, and I never had a problem before. However, the website I mentioned above is new to me. My inclination is that it's something going on at their end...but I could be wrong. I also believe that 128-bit encryption is independent of routers...unless they are configured incorrectly, or else no corporate intranets would work, so I am suspicious of the above warning message.
       
      So my question is whether there's something else I need to do at my end, is this a problem with IE6 (although I couldn't find anything in the MS knowledge base), or is their website tech support people blowing smoke?
       
      Thanks,
      Raye Schwartz
      raye.schwartz@worldnet.att.net

  • Next message: J N Katzman-TCM: "Re: 2000 does not respond to Ctrl+alt+delete.. HELP"