Mauritius Revenue Authority eservices using weak cryptography

A friend and I were talking about the Mauritius Revenue Authority (MRA). During the chat I visited the MRA website and checked its electronic services. I was intrigued when my browser flagged a warning on the address bar. I was not expecting an SSL certificate issue on the MRA eservices website.

I am using Google Chrome version 43.0.2357.130 (64-bit) and the MRA eservices website is flagged as follows:

mra-eservices-ssl-warning

I verified the certificate details and Chrome says the connection is encrypted with obsolete cryptography.

mra-eservices-obsolete-crypto

The connection is made using TLS 1.0, a protocol considered as weak & flagged for known vulnerabilities. SHA-1 cryto algorithm is used for message authentication through the AES128-SHA cipher. It is the weakness of SHA-1 that triggered the warning on Chrome. There is a nice article about the warnings as shown on different iterations of the Chrome browser on the Google Online Security blog.

Other ciphers over TLS 1.0 accepted by the MRA eservices website are RC4-SHA, RC4-MD5 and DES-CBC3-SHA.

On 28 June 2015, Loganaden Velvindron, our local BSD developer and a security-conscious engineer mentioned about weak security on govmu.org.

On 27 April 2015, S. Moonesamy, consultant at Eland Systems, wrote about the SSL certificate of the state-owned National Commercial Bank Ltd.


Share this post