Belgian banks & SSL — part 5

Minor end of year update. No big SSL exploits have been released since (bar DH, see below).

Once again, this is testing the public websites I can access. There might be other gateways, APIs, etc that are not (as) secure.

It’s worthy to note that some banks are serious about security and fixing their SSL. Most improved their rating and solved all issues (especially getting rid of SHA1 in the chain). However, a couple lowered from B to C (see below). But… No more F’s. 🙂

The noteworthy changers:

• Hello Bank! went from A to B though due to weak DH,
• Triodos lost their Forward Secrecy,
• Optima from F to A(-) (and a bunch others from B to A, and higher),
• A bunch from B to C due to SSLLabs being more severe (see below). Most did solve some of their issues,
• BKCP is doing a lot wrong.

Edit: Tested wrong AXA domain; updated to A+.

Update 11 Jan 2016: ABK & BvB updated to A.

Note that not supporting TLS 1.2 or supporting RC4 capped sites to grade B about a year ago; it now caps to grade C (aka SSLLabs is more severe).

Grade A

• Rabobank (A+): no known issues.
• Evi (A+): no known issues.
• Crelan (A+): no known issues.
• Binck (A+): no known issues.
• ING (A+): no known issues.
• Keytrade Bank (A+): no known issues.
• CPH (A+): no known issues.
• NIBC Direct (A+): no known issues.
• AXA (A+): no known issues.
• Delta Lloyd Bank (A): no known issues.
• Deutsche Bank (A): weak signature (SHA1).
• MeDirect Bank (A): no known issues.
• Monte Paschi (A): no known issues.
• Belfius (A): no known issues.
• BNP Paribas Fortis (A): no known issues.
• bpost bank (A): no known issues.
• Argenta (A): no known issues.
• Fortuneo (A): invalid HSTS policy.
• Fintro (A): no known issues.
• DHB Bank (A): no known issues.
• VDK (A): no known issues.
• ABK: (A): no known issues.
• Bank Van Breda (A): no known issues.
• Ogone (payment facilitator — A): no known issues.
• Moneyou (A-): no Forward Secrecy.
• Record Bank (A-): no Forward Secrecy.
• Triodos (A-): no Forward Secrecy.
• Optima Bank (A-): no Forward Secrecy.
• KBC (A-): no Forward Secrecy.
• Isabel (banking tool for corps — A-): no Forward Secrecy.

Grade B

• Hello bank!: Weak Diffie-Hell (aka DH) (info).

Grade C

• PSA Bank: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
• beobank: weak DH, no TLS 1.2, RC4 (insecure), no Forward Secrecy, no secure renegotiation.
• BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy, weak DH.

Grade D

• n/a

Grade E

• n/a

Grade F

• n/a