I logged on to http://www.hdfclife.com/ using Google Chrome and got the following error message when I tried to click on a link for making a transaction:
Diffie-Hellman is a cryptographic technique (cipher security method for authentication). This works like RSA algorithms and uses public-private keys to exchange information between two mediums securely. To describe rather vaguely, first, information that needs to be exchanged is encrypted and assigned two secret keys – public key and private key. This encrypted information can be decrypted only if you have both the keys. Someone might get hold of the public key as it is available publicly during transactions. However, this information is useless as the private key is required to decrypt the data. BOTH private keys are needed to exchange information. A simple example could be the several banking web sites that offer customers a device to generate their own private keys which the customer would use to log in to the banking website. The security methods vary and often keys are used in combination with passwords, tokens, or other authentication means.
Anyhow, the point of this post is not to delve into cryptographic keys. You can get information on cryptography and keys on the world wide web.
I want to talk about this particular error message.
Diffie-Hellman technique can be implemented in 3 different ways:
- Anonymous key exchange (Keys are exchanged without authentication and is a weak method)
- Fixed key exchange (here known keys are exchanged and is reasonable secure)
- Ephemeral Key exchange (here the keys are temporary and created during the transaction and is a strong method).
Ephemeral = Temporary
Ephemeral is a word often used in literature but avoided in technical and user documents. Although, it is used in the textual description as “ephemeral Diffie-Hellman public key”, this error message should have been rephrased. Something like “Connection on this website is not secure.”
Then the next sentence has the phrase “disastrous misconfiguration”. This is really scary! Could have read as “This is a problem with the server on the website you tried to log into.
Next the marketing slant “Chrome won’t use…”
Which user likes to see such unfriendly error messages? The same website however worked when I used Internet Explorer!