Cahoot

Jon Ribbens jon+ukcrypto at unequivocal.co.uk
Wed May 6 19:42:37 BST 2015 

On Wed, May 06, 2015 at 05:41:20PM +0100, Francis Davey wrote:
>    My apologies if this is a stupid question, but someone might be able to
>    give me some perspective.
>    If I navigate to https://www.cahoot.com, Chrome seems less than happy.
>    It complains about the cryptographic technology being obsolete and also
>    that the site does not possess a public key certificate (if I am
>    interpreting correctly).

It does have a public key certificate (otherwise there would be no
padlock icon at all), they are saying it doesn't use the extended
validation that some sites use to provide a verified organisation
name as well as just a verified site address.

>    The icon it displays suggests a fairly qualified acceptance of the site.
>    If I then click on the log in button I am sent to securebank.cahoot.com
>    for which Chrome has other (but slightly different) complaints. Also: in
>    the process a window very briefly appears and then vanishes again (which
>    is always unsettling).
>    Is it safe for me to go forward and enter my security details to access my
>    account, or should I contact the bank and ask them to fix it (or rather to
>    wait in their customer service queue to be told "no" after much
>    incomprehension I suspect).
>    Thoughts? I am keen not to have my bank account hacked.

The Chrome alert is because the certificate is using an SHA1 hash,
and as of fairly recently, Chrome has started to complain mildly about
this because it is considered weak but it is not completely broken.

However, there appear to be various other things about the SSL
configuration for securebank.cahoot.com that give cause for concern.
It may be completely insecure if your connection can be intercepted:

  https://www.ssllabs.com/ssltest/analyze.html?d=securebank.cahoot.com

I would recommend not accessing the bank except via a trusted
network connection, i.e. your home broadband or suchlike, not
public wifi hotspots. You may wish to also contact them and see
what they say (they won't say anything of course except "we use
the latest encryption technologies to keep you safe").

More information about the ukcrypto mailing list