Aon Website Security Problem

[savory]

I have a feeling that this does not affect many people but for those that it does, I hope this is helpful. About 4 weeks ago I notified Aon that their website certificate is out of date on Google Chrome.

Google notified websites, sometime last fall, telling them that their website protocols need to change. While they missed the Google announcement (they were not the only one) 4 weeks later, Aon still has not made the change!

Aon should not have missed the Google notice about the update. Aon slow (so far not correction) is ridiculous and makes me question their security level. If I had a choice, I would not use Aon as I have lost all confidence in their concern about website security. Unfortunately, they have a contract with my former company.

Here is information about certificates https://www.us-cert.gov/ncas/tips/ST05-010

A bit of a rant but if you have control over your Aon account, I would find another provider.

If you see the red 'x' through the lock on the address website bar, you are risking your information if you log-on.

 

[sengsational]

If you see the red 'x' through the lock on the address website bar, you are risking your information if you log-on.

Well, not exactly. Google has made a power play to get folks off of RC4, which is old and crusty, but not broken. It's not as if your data is in the clear. Check ssllabs.com if you ever wonder, but be prepared to need to do some googling if you're not well-versed in public key encryption standards.

 

[savory]

@sengsational - As I understand this, (and I am guessing you understand it better) you are technically right. I am upset however with my financial institution since they have known since last fall that this change was coming. That is when Google made the announcement, or at least the one I found. If Aon did not want to comply, they should have told me to disregard the warning.

In the meantime, they promised to make the change. The same thing happen with Yodlee I wrote to them as well and it took them 5 days to update their certificate. Aon is going on 4 weeks. It seems in this age of high security, a financial site and other sites with sensitive data should leave no room for doubt.

 

[rodi]

Unfortunately AON (hewitt) is a giant in employee benefits. They provided the interface to my former megacorps pensions, 401ks, etc. I still interface through them for my 2 small frozen pensions that I hope to start taking soon. I have no say on what provider (AON) my former megacorp uses.

 

[MBAustin]

Unfortunately AON (hewitt) is a giant in employee benefits. They provided the interface to my former megacorps pensions, 401ks, etc. I still interface through them for my 2 small frozen pensions that I hope to start taking soon. I have no say on what provider (AON) my former megacorp uses.

Ditto - we're in the same boat.

 

[sengsational]

Ditto - we're in the same boat.

Even though you have no direct control, it might not hurt to make a post or two on social media, reporting their SSL Labs "grade"... I doubt they like to be viewed as behind the curve, and it's not THAT hard to get this stuff aligned.

Tue, 02 Jun 2015 13:26:54 UTC

1 204.152.238.55
leplb0020.portal.hewitt.com
Grade: C

2 204.152.234.55
leplb0020.portal.hewitt.com
Grade: C

1 204.152.238.22
lb31.resources.hewitt.com
Grade: C

2 204.152.234.22
lb31.resources.hewitt.com
Grade: C

 

[savory]

I thought I previously reported in this thread that the site is now updated. But I do not see it so I might have done something wrong.

I think the social networking reporting is a good idea. It is one of the reasons I reported it here.