Tested using SSL Labs on 20/01/2015. Updated version 01/02/2015 here and 15/02/2015 here.
Only providing the weak points. Once there is one SHA1 key in the chain, I will report everything as weak.
Check SSL Labs for a full report, including what they actually did good (if anything).
Grade A
- Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
- Triodos (A): no downgrade attack prevention.
- Belfius (A-): weak signature (SHA1), no Forward Secrecy.
Grade B
- AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
- beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
- KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
- Keytrade Bank: weak signature (SHA1), RC4 (insecure).
- Crelan: no SSL on main page.
- internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.
Grade C
- Hello bank!: vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure).
- Bank Van Breda: no SSL on main page.
- internet banking: vulnerable to POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
Grade D
- n/a
Grade E
- n/a
Grade F
- BNP Paribas Fortis: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
- bpost bank: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
- ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
- Argenta: no SSL on main page.
- internet banking: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.
PS: none of the domains support IPv6 (while expected, it would have been nice — Belgium has the highest IPv6 adoption rate for end users, but almost no IPv6 websites or businesses).
Leave a Reply…