Re: Draft Guideline on the Provision of Internet Financial Services

From: Loganaden Velvindron <loganaden_at_gmail.com>
Date: Tue, 2 Jun 2015 15:15:42 +0400

On Tue, Jun 2, 2015 at 2:00 PM, S Moonesamy <sm+mu_at_elandsys.com> wrote:
> Dear Sir/Madam,
>
> I read the "DRAFT Guideline on the Provision of Internet Financial Services
> by Financial Institutions". Page 8 of the document has the following text:
>
> "(i) Usage of SSL (Secured Socket Layer), which ensures server
> authentication and use of client side certificates issued
> by the institution itself using a Certificate Server."
>
> (ii) The use of at least 128-bit SSL for securing browser to web
> server communications and, in addition, encryption of sensitive
> data like passwords in transit within the enterprise itself."
>
> Usage of SSL is not recommended due to security issues affecting the
> technology. The "use of at least 128-bit SSL ..." as described above does
> not, by itself, secure browser to web server communications when sending
> sensitive data.
>

Indeed. SSL is no longer regarded as a secure Transport Layer. I think
that there is a huge problem here.

It's not only about the Key size, there are other security concerns
that need to be better addressed in my opinion.


> Regards,
> S. Moonesamy
>
>
Received on Tue Jun 02 2015 - 11:15:55 PST