Open https://www.ssllabs.com/ssltest/ and enter the URL of your bank site into the 'Domain name' field. Press 'Submit'. What cipher suites does your bank site offer?

128 on both

You must be kidding. You can post the URL of the test result for your bank site, or create screenshots of the result, and post those. https://support.mozilla.org/en-US/kb/how-do-i-create-screenshot-my-problem

Cipher Suites (sorted by strength; the server has no preference)

TLS_RSA_WITH_RC4_128_MD5 (0x4) 128 TLS_RSA_WITH_RC4_128_SHA (0x5) 128

SSL Labs logo

Home Projects Qualys.com Contact

You are here: Home > Projects > SSL Server Test > storebrand.no

SSL Report: storebrand.no (153.110.170.22) Assessed on: Sat Oct 18 06:23:23 PDT 2014 | Clear cache Scan Another » Summary Overall Rating F 0 20 40 60 80 100 Certificate

100 Protocol Support

0 Key Exchange

90 Cipher Strength

80 Visit our documentation page for more information, configuration guides, and books. Known issues are documented here. This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F. This server uses SSL 3, with POODLE mitigated. Still, it's recommended that this protocol is disabled. MORE INFO » Certificate uses SHA1. When renewing, ensure you upgrade to SHA256. MORE INFO » The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. There is no support for secure renegotiation. MORE INFO » The server does not support Forward Secrecy with the reference browsers. MORE INFO » Authentication

Server Key and Certificate #1 Common names www.storebrand.no Alternative names www.storebrand.no Prefix handling Not valid for "storebrand.no" CONFUSING Valid from Tue Jan 15 16:00:00 PST 2013 Valid until Sat Jan 17 15:59:59 PST 2015 (expires in 2 months and 31 days) Key RSA 2048 bits Weak key (Debian) No Issuer VeriSign Class 3 Extended Validation SSL SGC CA Signature algorithm SHA1withRSA WEAK Extended Validation Yes Revocation information CRL, OCSP Revocation status Good (not revoked) Trusted Yes

Additional Certificates (if supplied) Certificates provided 4 (4877 bytes) Chain issues None

1. 2

Subject VeriSign Class 3 Extended Validation SSL SGC CA SHA1: b18039899831f152614667cf23ffcea2b0e73dab Valid until Mon Nov 07 15:59:59 PST 2016 (expires in 2 years) Key RSA 2048 bits Issuer VeriSign Class 3 Public Primary Certification Authority - G5 Signature algorithm SHA1withRSA WEAK

1. 3

Subject VeriSign Class 3 Public Primary Certification Authority - G5 SHA1: 32f30882622b87cf8856c63db873df0853b4dd27 Valid until Sun Nov 07 15:59:59 PST 2021 (expires in 7 years) Key RSA 2048 bits Issuer VeriSign / Class 3 Public Primary Certification Authority Signature algorithm SHA1withRSA WEAK

1. 4

Subject VeriSign / Class 3 Public Primary Certification Authority Not in trust store SHA1: 742c3192e607e424eb4549542be1bbc53e6174e2 Valid until Tue Aug 01 16:59:59 PDT 2028 (expires in 13 years and 9 months) Key RSA 1024 bits WEAK Issuer VeriSign / Class 3 Public Primary Certification Authority Self-signed Signature algorithm MD2withRSA Weak, but no impact on root certificates

Certification Paths Path #1: Trusted 1 Sent by server www.storebrand.no SHA1: d357fd853d58209d48df5a75e7debf729068703f

RSA 2048 bits / SHA1withRSA 

WEAK SIGNATURE 2 Sent by server VeriSign Class 3 Extended Validation SSL SGC CA SHA1: b18039899831f152614667cf23ffcea2b0e73dab

RSA 2048 bits / SHA1withRSA 

WEAK SIGNATURE 3 In trust store VeriSign Class 3 Public Primary Certification Authority - G5 SHA1: 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5

RSA 2048 bits / SHA1withRSA 

Weak or insecure signature, but no impact on root certificates Path #2: Not trusted (path does not chain to a trusted anchor) 1 Sent by server www.storebrand.no SHA1: d357fd853d58209d48df5a75e7debf729068703f

RSA 2048 bits / SHA1withRSA 

WEAK SIGNATURE 2 Sent by server VeriSign Class 3 Extended Validation SSL SGC CA SHA1: b18039899831f152614667cf23ffcea2b0e73dab

RSA 2048 bits / SHA1withRSA 

WEAK SIGNATURE 3 Sent by server VeriSign Class 3 Public Primary Certification Authority - G5 SHA1: 32f30882622b87cf8856c63db873df0853b4dd27

RSA 2048 bits / SHA1withRSA 

WEAK SIGNATURE 4 Sent by server

  Not in trust store	 VeriSign / Class 3 Public Primary Certification Authority 

SHA1: 742c3192e607e424eb4549542be1bbc53e6174e2 RSA 1024 bits / MD2withRSA WEAK KEY Weak or insecure signature, but no impact on root certificates Configuration

Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 No SSL 3 INSECURE Yes SSL 2 No

Cipher Suites (sorted by strength; the server has no preference) TLS_RSA_WITH_RC4_128_MD5 (0x4) 128 TLS_RSA_WITH_RC4_128_SHA (0x5) 128

Handshake Simulation Android 2.3.7 No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_MD5 (0x4) No FS RC4 128 Android 4.0.4 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Android 4.1.1 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Android 4.2.2 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Android 4.3 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Android 4.4.2 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 BingBot Dec 2013 No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 BingPreview Jun 2014 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Chrome 37 / OS X R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Firefox 24.2.0 ESR / Win 7 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Firefox 32 / OS X R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Googlebot Jun 2014 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 IE 6 / XP No FS 1 No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_MD5 (0x4) No FS RC4 128 IE 7 / Vista SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 IE 8 / XP No FS 1 No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_MD5 (0x4) No FS RC4 128 IE 8-10 / Win 7 R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 IE 11 / Win 7 R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 IE 11 / Win 8.1 R Protocol or cipher suite mismatch Fail3 IE Mobile 10 / Win Phone 8.0 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 IE Mobile 11 / Win Phone 8.1 Protocol or cipher suite mismatch Fail3 Java 6u45 No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_MD5 (0x4) No FS RC4 128 Java 7u25 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Java 8b132 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 OpenSSL 0.9.8y SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 OpenSSL 1.0.1h SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Safari 5.1.9 / OS X 10.6.8 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Safari 6 / iOS 6.0.1 R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Safari 7 / iOS 7.1 R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Safari 8 / iOS 8.0 Beta R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Safari 6.0.4 / OS X 10.8.4 R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Safari 7 / OS X 10.9 R SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 Yahoo Slurp Jun 2014 No SNI 2 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 YandexBot Sep 2014 SSL 3 TLS_RSA_WITH_RC4_128_SHA (0x5) No FS RC4 128 (1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it. (2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI. (3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version. (R) Denotes a reference browser or client, with which we expect better effective security. (All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).

Protocol Details Secure Renegotiation Not supported ACTION NEEDED (more info) Secure Client-Initiated Renegotiation No Insecure Client-Initiated Renegotiation Supported INSECURE (more info) BEAST attack Mitigated server-side (more info) SSL 3: 0x4 POODLE attack No, mitigated (more info) SSL 3: 0x4 Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported (more info) TLS compression No RC4 Yes (not with TLS 1.1 and newer) (more info) Heartbeat (extension) No Heartbleed (vulnerability) No (more info) OpenSSL CCS vuln. (CVE-2014-0224) No (more info) Forward Secrecy No WEAK (more info) Next Protocol Negotiation No Session resumption (caching) Yes Session resumption (tickets) No OCSP stapling No Strict Transport Security (HSTS) No Long handshake intolerance No TLS extension intolerance No TLS version intolerance No SSL 2 handshake compatibility Yes

Miscellaneous Test date Sat Oct 18 06:22:21 PDT 2014 Test duration 62.180 seconds HTTP status code 200 HTTP server signature Lotus-Domino Server hostname edb-owned-address-153_110_170_22.hidden-host.edb.com PCI compliant No FIPS-ready No SSL Report v1.10.36 Copyright © 2009-2014 Qualys, Inc. All Rights Reserved. Terms and Conditions

So for your bank site, grade F is pretty much the worst possible result. It does support SSLv3 only, with only older protocols, but not the current best TLS 1.2.

Nevertheless Firefox should be able to negotiate a secure session, because it would support at least one of the cipher suites the server offers.

You can verify what your Firefox supports here: https://www.ssllabs.com/ssltest/viewMyClient.html

Do you see any of these ciphersuites for your Firefox? TLS_RSA_WITH_RC4_128_MD5 (0x4) 128 TLS_RSA_WITH_RC4_128_SHA (0x5) 128

Please post your results again.

Cipher Suites (in order of preference)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Forward Secrecy 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) Forward Secrecy 256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy 128 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Forward Secrecy 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Forward Secrecy 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy 128 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Forward Secrecy 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy 256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy 128 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x6a) Forward Secrecy* 256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x40) Forward Secrecy* 128 TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) Forward Secrecy* 256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Forward Secrecy* 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) Forward Secrecy* 112 (*) Cannot be used for Forward Secrecy because they require DSS keys, which are effectively limited to 1024 bits.

Here we go. There is no overlap between the cipher suites your bank site and your Firefox do support. This is the reason why you get the error.

You have set security.tls.version.min: 1 in your Firefox preferences, which is good. This mitigates the POODLE attack, but it also prevents you to access your bank site. https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

I wouldn't want to do my financial transactions via such a crappy and insecure site. If you're willing to take the risk you may try to temporarily set the pref security.tls.version.min to 0. http://kb.mozillazine.org/Security.tls.version.*

Alternatively try with another browser. Note that if another browser can access your bank site, it is insecure.

Hi christ1 Thank you for quick and helpful response. Write this again as I'm not sure if my last Message went through.

You have been of great help. I'm eager to learn what the bank will do about this.

Best regards