How secure is that little green padlock in your web browser? You may be surprised.

I have my own domain which I use as a mail server, openvpn server and owncloud server. Using SSL Labs I increased my encrypted connection score from C to A+ with around 3-4 hours reading an adjusting. Using a Firefox add-on I was able to recheck my domain encryption connection and scored 9 out of 10. Remember this only took me 3-4 hours (I am not an IT expert) . We will be looking at banking institutions, cellphone companies, social media, search engines and a few others to see how they compare (bear in mind these companies employ IT experts).

Brief Overview
With any encrypted connection these is the risk of "a man in the middle attack" as you cannot guarantee who is on the other end. You will see a warning page in your browser warning you the encrypted page is not secure due to this. To overcome this Certificate Authorities validate that you are on the right domain eg Geotrust, Digicert, Thawte. The website owner has to purchase this in the form of a digital certificate which they upload onto their website/server in order for domain validation to work.

There is far more to encrypted connections than just a certificate. Firstly the platform used. SSL (Secure Socket Layer) which has been cracked and is now obsolete (there are still websites using SSLv2 and SSLv3). TLS (Transport Layer Security) is now used and ideally it should be TLSv1.2 (TLSv1.0 has been cracked and is now obsolete). Bear this in mind while viewing the images below.

There is also the cipher suite to consider for both signing and encryption. SHA1 has been cracked and is now obsolete. Hashed SHA1 (HMAC-SHA1) is reportedly weak. Bear this in mind while viewing the images below. Google is now giving a warning flag for SHA1 and from next year Chrome will not be able to access these sites.

Lastly there is 'perfect forward secrecy' (PFS) to consider. This relate to keys that are used. If the public and private keys used in specific communications are compromised it can reveal the data exchanged in that session as well as the data exchanged in previous sessions. PFS is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.

First is my own domain.



Now some search engines.







Yahoo is also 9 out of 10 with perfect forward secrecy.

Social Media is next

Now a few mobile (cellphone) companies.

Next is Banking Companies.

Lastly some random sites.







Amazon.com scored 9 so if you have no idea what Amazon AWS is you can disregard this.

I think EBay and Nationwide are the main to flag and Amazon AWS and Three should have a red flashing siren as they are still using TLSv1.0. Both these sites you enter your debit/credit card for services.

If you would like me to check a site please post. Alternatively you can download the SSLeuth add-on for Firefox.

It would be interesting and appreciated if anyone with experience of encryption could offer feedback.

Doesn't bother me that much as I have very little to steal.Look at backtrack Linux, you could pretty much intercept anything people are doing over wifi.

a reply to: CallYourBluff

I am using Fedora 23. I thought WPA2 and MAC address exclusion was pretty secure.

Hey would any of these work?





ETA: Just a small part of my collection.

They would be useful when immoral hackers are caught. Bind them in chains and attach one.

originally posted by: deliberator
a reply to: CallYourBluff

I am using Fedora 23. I thought WPA2 and MAC address exclusion was pretty secure.

Not at all.

Thanks for the video. Just a brute force software programme. I have over 50 characters in my password with upper/lower case, number and symbols. I doubt a laptop or IPad could crack it. You also have to factor that the WLAN has to be in range. Imagine sitting outside someone's house for weeks! I also have client isolation and DDOS protection enabled on my router. My neighbours are elderly, most of them do not know what WiFi is.

So you think an Ethernet connection is more secure. What about a local network travelling across the earth wiring in ac mains?

a reply to: CallYourBluff

that video is kinda deceiving... you're gonna need a bigger password list than that.... at least 50+ gbs

and even with that it can take weeks to months to crack a good wpa2 password

you're better off using reaver to brute force the wps pin.. that is ofc if it is enabled on the router

originally posted by: deliberator
Thanks for the video. Just a brute force software programme. I have over 50 characters in my password with upper/lower case, number and symbols. I doubt a laptop or IPad could crack it. You also have to factor that the WLAN has to be in range. Imagine sitting outside someone's house for weeks! I also have client isolation and DDOS protection enabled on my router. My neighbours are elderly, most of them do not know what WiFi is.

So you think an Ethernet connection is more secure. What about a local network travelling across the earth wiring in ac mains?

It is a brute force program, but given the distance (with the right device)wifi can be picked up and how cheap laptops are, you could set one away and have access to everyone's wifi in your street within days.Ethernet plus a VPN and TOR is the most secure way to access the internet. Depends on how paranoid you are.

originally posted by: phildunphy01
a reply to: CallYourBluff

that video is kinda deceiving... you're gonna need a bigger password list than that.... at least 50+ gbs

and even with that it can take weeks to months to crack a good wpa2 password

you're better off using reaver to brute force the wps pin.. that is ofc if it is enabled on the router

Yes, but how many people do you think actually change the router password or know how?

I think my OP shows that some companies have a "set and forget" attitude regarding server/website security which is completely wrong. The recent TalkTalk hack was due to a mysql injection attack. This could have been avoided with updated software and robust security systems.