Tested using SSL Labs on 20/01/2015. Updated version 01/02/2015 here and 15/02/2015 here.
Only providing the weak points. Once there is one SHA1 key in the chain, I will report everything as weak.
Check SSL Labs for a full report, including what they actually did good (if anything).
Grade A
- Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
- Triodos (A): no downgrade attack prevention.
- Belfius (A-): weak signature (SHA1), no Forward Secrecy.
Grade B
- AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
- beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
- KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
- Keytrade Bank: weak signature (SHA1), RC4 (insecure).
- Crelan: no SSL on main page.
- internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.
Grade C
- Hello bank!: vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure).
- Bank Van Breda: no SSL on main page.
- internet banking: vulnerable to POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
Grade D
- n/a
Grade E
- n/a
Grade F
- BNP Paribas Fortis: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
- bpost bank: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
- ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
- Argenta: no SSL on main page.
- internet banking: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.
PS: none of the domains support IPv6 (while expected, it would have been nice — Belgium has the highest IPv6 adoption rate for end users, but almost no IPv6 websites or businesses).
9 replies on “Belgian banks & SSL”
[…] Leave a comment […]
[…] Leave a comment […]
[…] 15 Comments […]
[…] https://yeri.be/belgian-banks-ssl […]
[…] the current status of SSL certificates used on web properties of Belgian authorities. In January, Yeri Tiete checked the certificates of Belgian banks. About a month later, his blog post was noticed by […]
[…] tests were performed through Qualys SSL Labs on 2015-02-16. This was inspired by the overview of Belgian banks by Yeri […]
[…] navolging van Belgian banks & SSL, het blogbericht van Yeri Tiete waarin hij de status van de SSL certificaten van de Belgische […]
[…] belangrijk is ook om een zogenaamde SLL Server test te doen (die waar onze Belgische banken begin 2015 op faalden). Met dank aan de Stone-IS support is mijn cloudserver voorzien van de nodige updates, zodat ik nu […]
[…] top pages were Part 3, Part 1, Part 4 and Part 2 […]