Because of the mediastorm it’s time for an update. The previous (1, 2, 3) blog posts are outdated!
I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).
Banks that changed rank since last post (all for the better):
- 16/02/2015:
- Keytrade: B to A
- Hello Bank!: C to A
- ING: F to A-
- Record Bank: F to A-
- 17/02/2015:
- ABK: F to B
- Bank Van Breda: C to B
- 18/02/2015:
- MeDirect: F to A
- Added 6 new (small) banks
- 27/02/2015
- Ogone: C to A-
- 02/03/2015
- Fortuneo: C to B
- 03/03/2015
- Crelan: B to A
I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).
I would like to apologise for every IT’er that had a crappy Monday morning, and thank you for fixing SSL so fast. 🙂
The entire list updated (last partial update 18/02/2015 around 20h00):
I’ve updated the sites to now correctly test the login page and not the main homepage. If that’s not the case somewhere, please tell me.
Grade A
- Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
- Triodos (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
- Evi (A+): no known issues.
- Crelan (A): weak signature (SHA1).
- Delta Lloyd Bank (A): no known issues. [news post]
- Deutsche Bank (A): weak signature (SHA1).
- Hello bank! (A): no known issues.
- Keytrade Bank (A): weak signature (SHA1, intermediate, very very minor issue).
- MeDirect Bank (A): no known issues. [newsletter: 1, 2]
- Monte Paschi (A): no known issues.
- Belfius (A-): weak signature (SHA1), no Forward Secrecy.
- BNP Paribas Fortis (A-): weak signature (SHA1), no Forward Secrecy.
- bpost bank (A-): weak signature (SHA1), no Forward Secrecy.
- Binck (A-): weak signature (SHA1), no Forward Secrecy.
- Fintro (A-): weak signature (SHA1), no Forward Secrecy.
- ING (A-): no Forward Secrecy. [press release via Standaard]
- Moneyou (A-): weak signature (SHA1), no Forward Secrecy.
- Record Bank (A-): no Forward Secrecy. [news post]
- Isabel (banking tool for big corps – A-): weak signature (SHA1), no Forward Secrecy.
- Ogone (payment facilitator): no Forward Secrecy. [newsletter via twitter]
Grade B
- Argenta: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
- ABK: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
- AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
- Bank Van Breda: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
- beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
- BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy. [newsletter]
- CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
- DHB Bank: weak signature (SHA1), RC4 (insecure).
- Fortuneo: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
- KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
- NIBC Direct: weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
- VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy
Grade C
- PSA Bank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
Grade D
- n/a
Grade E
- n/a
Grade F
- Optima Bank: vulnerable to POODLE attack in SSL3 and TLS format, weak signature (SHA1), RC4, no Forward Secrecy.
Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.
Respect to those that send a mailing list to their customers with more detailed information. Communication++
Respect to Rabobank to be the only bank that directly contacted me (officially, not hiding behind a Gmail or Hotmail address) and thanked me for the work I did, asking for more details, etc.
And thank you for an anonymous person, working for one of the big banks, to give me more details about why they are slow at patching this, how legacy works, etc. I wish he could take this discussion public, but alas.
Leave a Reply…