Often times we need to pay using our credit/debit card to many E-Commerce portal. We must verify if the site is PCI compliant. But how a normal user would know? There are cases we easily fall into the trap. We need to be more careful and understand the complexity and save our hard earned money.
I was trying to pay in a portal where I got this screen and I wanted to ensure.
So I checked the SSL in https://www.ssllabs.com/ssltest/ and got the below output
This seems fine to me but few areas needs little attention
What worried me here that they are using SHA1 which is kind of not recommended anymore. Following are the few points about SHA-1
- SHA-1 is breakable and almost 10 year OLD, please refer https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
- Expert Bruce Schneier discussed in his blog about SHA-1 is insecure and suggested to move to SHA-2/SHA-3 here https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html. I wanted to share his recommendation
- Notable that Microsoft is also retiring SHA-1 at Microsoft Security Advisory 2880823. This was published back in 2013.
- Even Google asked to move SHA-1 . Refer their blog at http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
SHA-1 is not a major concern now but eventually will be.
As per the test web website’s guide documentation https://www.ssllabs.com/projects/rating-guide/index.html, this seems manageable.
Now, I wanted to check their Certificate too,
Good thing is that they are using SHA256
As an end user you need to keep your money safe. There is a huge list of sites being compromised. You must check https://haveibeenpwned.com/PwnedWebsites
Be safe and play safe.