Major credit reporting bureaus are seemingly inept at securing against avoidable vulnerabilities, as shown in Equifax’s infamous 2017 breach and later PIN debacle (Internet, Tor), TransUnion’s malvertising mishap, and I suppose now with Experian’s website.
Freezing credit report data is one of the simplest ways to prevent identity theft. However when I went to freeze my data with Experian, I was greeted with the above warning thanks to Firefox.¹
An SSL server test² explains the cause for concern. Their web server uses a mode of encryption – Cipher Block Chain (CBC) – which has been implemented in an insecure way, making users vulnerable to man-in-the-middle attacks. This vulnerability was first announced in 2014, which means Experian’s main website is six years out of date with secure encryption standards.
I guess I’ll call Experian in the morning to request my credit report freeze. This is plain embarassing.
¹ I made a prior attempt with a different Firefox instance, where I saw a “Secure Connection Failed” error message. This was thanks to using the arkenfox user.js browser configuration.