Opera

If the encryption method used by a site is outdated, the warning "The site is using an outdated encryption method" will appear. A site matching one or more of the following criteria will trigger the dialog:

1. The protocol SSL v2 is used
2. Encryption methods with 40 or 56 bit keys are used
3. Key exchanges are performed using RSA or Diffie-Hellman (DH) keys less than 900 bits long

What should I do when I get this dialog?

• Inform the Web site operator of the problem, and recommend that the servers be upgraded. Stress the point that users are getting security warnings when visiting their site.
• Although the actual threat level is probably very low, consider waiting for a server upgrade before submitting any sensitive data. If possible, use a corresponding service with a more updated server.

Why is SSL v2 not secure enough?

SSL v2 is a ten year old protocol with at least one major flaw in the protocol itself. It was replaced by SSL v3 in 1996, which makes any server that only supports SSL v2 at least nine years old. That age alone should raise questions about the security of the server in general.

SSL v3 was then replaced by TLS 1.0 in late 1998, and TLS 1.0 is about to be replaced by TLS 1.1, which is supported by Opera 8.0, but disabled in the default setup due to interoperability issues.

The only reason Opera supports SSL v2 is that there are still some important sites that use it. However, all major servers support at least TLS 1.0 today. Any site that uses SSL v2 should have its servers upgraded immediately.

Why are 40 and 56 bit encryption lengths not secure enough?

These encryption lengths are today completely obsolete. 40 bit (and later 56 bit) methods were encryption lengths sanctioned by the United States government in 1995 for use in non-financial communications between clients and servers where either or both were located outside the USA , using server or client software made in the USA. Encryption software was a tightly-controlled munitions export article under United States law. The fact that these keys were approved is an indication of their weak encryption level.

A 56 bit encryption key was broken in 24 hours in 1999. Today the time required is about 1 hour. Servers supporting only 40 and 56 bit encryption most likely predate 2000, since the United States ended the cryptography export restrictions at about that time. The age of such servers alone should be cause for alarm when used for services intended to be secure.

Again, Opera still supports these methods only because some important sites are, unfortunately, still using them. However, all major servers today support at least 128 bit symmetric encryption, some even support 256 bit keys

Why are RSA/Diffie-Hellman keys shorter than 900 bits not secure enough?

RSA/DH keys are used to protect the encryption keys for all transactions with the server. If these keys are broken,

• all communication that has been exchanged with the server from the time the key was created will be fully available
• an attacker will be able to modify the information exchanged between you and the server, and there is no way to detect such changes in the protocol

These keys are parts of the very foundation of the SSL and TLS protocols. Using a weak key weakens the entire system.

What constitutes a weak key?

Several years ago, a 512 bit RSA key was broken in 10-12 weeks (7-8 months computing by night on a few hundred workstations). Today the same job could probably be done in less than 4 weeks. This means that keys of this length are not adequate protection for any information that needs to be kept secure for more than a few weeks.

What is a strong key?

RSA Security recommends a minimum of 1024 bits, but only if your information is worthless by the year 2010, and 2048 bits if you want to keep it safe until year 2030, based on their extrapolation of current trends in computing power and methods.

Any site using weak RSA/DH keys (<1024 bits) should replace their key as soon as possible with at least one 2048 bit key, and get new certificates from their Certificate Authority for that key. There may be a valid reason for limiting the size to 1024 bit if you are targeting browsers on embedded platforms (like mobile phones), but phones are catching up fast on processing speed.

When sites use keys less than 1020 bits long, Opera will reduce its visible security level with one point.

"But the webmaster says they are using 128 bit encryption, which they say is very good, so 512 bits must be extremely good"?

While 128 bit symmetric encryption (like AES, 3DES, and RC4) is very good, 128 bit RSA keys are considered to be extremely weak.

RSA and Diffie-Hellman are time-consuming methods not well suited for encrypting large amounts of data. Diffie-Hellman as used in TLS cannot be used to encrypt data, only to agree on the encryption keys.

Methods known as "128 bit encryption" -- AES, 3DES, and RC4 -- are by comparison very fast and light methods, well-suited for encrypting large amounts of data.

Therefore, the RSA and Diffie-Hellman keys are used to transport the actual encryption keys used for the transaction. The 128 bit encryption methods are used for the actual data. The RSA and Diffie-Hellman keys will then tell the other side of the transaction how to decrypt the data.