New Chrome update shames sites with outdated security
In one of my previous posts about SSL implementation is poor across South African financial institutions, I raised the issue that most local banks do not implement security properly. As of yesterday, Google Chrome as launched enhancements, highlighting the insecurity of such sites and ABSA Internet Banking is one of the South African banks affected:
FWIW – In 2011 (yes, 2011) leading browser makers and CAs agreed that SHA1’s time had passed. In most cases, generating a new certificate signed by the perfectly acceptable replacement SHA2 is a minor matter, and costs nothing but time – perhaps something ABSA and other companies do not have at this point in time.
Update (1/6/2015 10:26): Absa’s response on Twitter demonstrates the ignorance about online security, especially considering that it is fairly easy to recycle weak security certificates.
If you want to read up on SHA1, Qualys has a detailed write up, about the why Google in September 2014 announced that SHA1 is not secure any more.