Because of the mediastorm it’s time for an update. The previous (1, 2, 3) blog posts are outdated!
I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).
Banks that changed rank since last post (all for the better):
- 16/02/2015:
- Keytrade: B to A
- Hello Bank!: C to A
- ING: F to A-
- Record Bank: F to A-
- 17/02/2015:
- ABK: F to B
- Bank Van Breda: C to B
- 18/02/2015:
- MeDirect: F to A
- Added 6 new (small) banks
- 27/02/2015
- Ogone: C to A-
- 02/03/2015
- Fortuneo: C to B
- 03/03/2015
- Crelan: B to A
I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).
I would like to apologise for every IT’er that had a crappy Monday morning, and thank you for fixing SSL so fast. 🙂
The entire list updated (last partial update 18/02/2015 around 20h00):
I’ve updated the sites to now correctly test the login page and not the main homepage. If that’s not the case somewhere, please tell me.
Grade A
- Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
- Triodos (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
- Evi (A+): no known issues.
- Crelan (A): weak signature (SHA1).
- Delta Lloyd Bank (A): no known issues. [news post]
- Deutsche Bank (A): weak signature (SHA1).
- Hello bank! (A): no known issues.
- Keytrade Bank (A): weak signature (SHA1, intermediate, very very minor issue).
- MeDirect Bank (A): no known issues. [newsletter: 1, 2]
- Monte Paschi (A): no known issues.
- Belfius (A-): weak signature (SHA1), no Forward Secrecy.
- BNP Paribas Fortis (A-): weak signature (SHA1), no Forward Secrecy.
- bpost bank (A-): weak signature (SHA1), no Forward Secrecy.
- Binck (A-): weak signature (SHA1), no Forward Secrecy.
- Fintro (A-): weak signature (SHA1), no Forward Secrecy.
- ING (A-): no Forward Secrecy. [press release via Standaard]
- Moneyou (A-): weak signature (SHA1), no Forward Secrecy.
- Record Bank (A-): no Forward Secrecy. [news post]
- Isabel (banking tool for big corps – A-): weak signature (SHA1), no Forward Secrecy.
- Ogone (payment facilitator): no Forward Secrecy. [newsletter via twitter]
Grade B
- Argenta: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
- ABK: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
- AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
- Bank Van Breda: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
- beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
- BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy. [newsletter]
- CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
- DHB Bank: weak signature (SHA1), RC4 (insecure).
- Fortuneo: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
- KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
- NIBC Direct: weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
- VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy
Grade C
- PSA Bank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
Grade D
- n/a
Grade E
- n/a
Grade F
- Optima Bank: vulnerable to POODLE attack in SSL3 and TLS format, weak signature (SHA1), RC4, no Forward Secrecy.
Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.
Respect to those that send a mailing list to their customers with more detailed information. Communication++
Respect to Rabobank to be the only bank that directly contacted me (officially, not hiding behind a Gmail or Hotmail address) and thanked me for the work I did, asking for more details, etc.
And thank you for an anonymous person, working for one of the big banks, to give me more details about why they are slow at patching this, how legacy works, etc. I wish he could take this discussion public, but alas.
40 replies on “Belgian banks & SSL — part 4”
[…] EDIT: ING is now A- (not reflected in this blog post). EDIT 2: Keytrade & Hello Bank also went to A. I’ll update this blog post later tonight. EDIT 3: Updated post here. […]
Il y a encore une banque qui manque
Laquelle?
Bkcpbanque.be
J’ai mis a jour
=> BKCP => B => weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
Bonjour Yeri, pour EuropaBank il te suffit de savoir utiliser OpenSSL pour découvrir _par toi-même_ tout ce que SSL Labs de Qualys rapporte.
J’imagine qu’en tant que grand Hacker securité (comme te dépeint la presse, hahaha, oups pardon) cela ne te sera pas compliqué de découvrir les paramètres nécéssaires à la commande # openssl pour ce faire (man openssl).
Si tu as besoin d’aide n’hésites pas à demander ici 😉
Feel free to post it. 🙂 but alternatives are here: https://github.com/ssllabs/research/wiki/Assessment-Tools
Je ne peux pas tout faire, ma maman m’appelle pour faire dodo 🙁 Mais voici déjà quelques exemples :
# openssl s_client -connect http://www.ebonline.be:443
=> Chriffrement RC4 (“Cipher : RC4-MD5”)
=> Tu copy/paste le certificat dans fichier ‘x’ (partie entre —–BEGIN CERTIFICATE—– & —–END CERTIFICATE—–), puis : openssl x509 -in x -noout -text : SHA-1 (Signature Algorithm: sha1WithRSAEncryption)
# openssl s_client -connect http://www.ebonline.be:443 -ssl3
=> SSLv3 supporté (Protocol : SSLv3)
On est donc déjà en grade B (RC4 + SHA1 + SSLv3), pour le reste (i.e. POODLE, BEAST, …) je te laisse faire ou alors tu attends demain après que j’ai mangé mes Coco Pops 😉
Top! et oui c’est poodle vuln.
Et comment évalues-tu si il y a une mitigation effectuée ?
Evi (part of Van Lanschot) gets A+:
https://www.ssllabs.com/ssltest/analyze.html?d=secure.evi.be
merci!
Binck Bank belgique : A (only minor issue with SHA1):
https://www.ssllabs.com/ssltest/analyze.html?d=binck.be
Thanks — updated! (and using their login page instead of homepage: https://www.ssllabs.com/ssltest/analyze.html?d=login.binck.be&hideResults=on)
Beste Yeri,
Bank Van Breda en ABK hebben maandag ochtend de nodige maatregelen genomen waardoor deze een B-quotering hebben gekregen.
Super — ik werk mijn lijstje bij!
Ik heb via spaargids.be nog enkele banken gevonden die nog niet op het lijstje stonden:
– Optima Bank (F)
– PSA Bank (C) + inconsistent server config (?)
– DHB Bank (B)
– NIBC Direct (B)
– Fintro (A-)
– Banca Monte Paschi Belgio (A)
Links:
https://www.ssllabs.com/ssltest/analyze.html?d=ebanking.nibcdirect.be
https://www.ssllabs.com/ssltest/analyze.html?d=optimaonline.optimabank.be
https://www.ssllabs.com/ssltest/analyze.html?d=www.montepaschi.be
https://www.ssllabs.com/ssltest/analyze.html?d=netbanking.dhbbank.com&latest
https://www.ssllabs.com/ssltest/analyze.html?d=www.fintro.be
https://www.ssllabs.com/ssltest/analyze.html?d=www.psabank.be
Sommige van deze banken hebben er de laatste dagen waarschijnlijk van geprofiteerd om hun score te verbeteren. Voor zover ik zie is er geen mogelijkheid bij SSL Labs om historische scans op te zoeken?
Geen idee of Optima Bank dit nog gaat oplossen, aangezien ze van plan zijn ermee te stoppen:
http://www.tijd.be/nieuws/ondernemingen_financien/Optima_zet_punt_achter_bankactiviteiten.9540310-3095.art?ckc=1
Nee — geen mogelijkheid om historische gegevens na te gaan (en kans ook klein dat ze uberhaupt getest geweest zijn).
Ik zal ze toevoegen. Merci.
BVB kondigt een onderhoud aan.
https://s3-eu-west-1.amazonaws.com/uploads-eu.hipchat.com/7010/14348/eBxywvQgGjgwgJp/BVB.png
De geplande onbeschikbaarheid heeft niets te maken met berichtgeving over SSL. Volgend weekend leggen we de basis voor een nieuwe toepassing met o.a. real-time betalingsverkeer, een tablet- en smartphone versie, moderne look en feel enz. Dit past binnen een project waaraan al meer dan een jaar wordt gewerkt.
In een mail laat MeDirect weten dat ze na een update die ze vannacht hebben uitgevoerd van F naar A zijn gegaan.
Super, ik pas het aan.
Kleine opmerking: MeDirect ging van F naar A, niet van B naar A zoals in je update staat.
Btw, zou je die link uit mijn vorige post willen verwijderen a.u.b.? (privacy issue)
Ik pas beide aan. 🙂 Kan je je eigen comment niet aanpassen?
Hi Yeri, thanks for your posts and for the press coverage, I think that Belgium will be one of the first countries to be freed from XP + IE6 so quickly 🙂 IT departments of the banks congratulates you (and for sure do not hate you as you seem to think all the time). It is not always easy to convince the marketing departments that we have to secure our infras with the downside that we might lose customers (temporarily).
Even if you’re not a security expert as the press is stating, you should continue doing the same for other security or IT aspects (CSP, IPv6, …), you seem to be listened by the press now and thus by marketing.
Hehe, thanks.
In my very first post (https://yeri.be/belgian-banks-ssl — all the way at the bottom) I checked for IPv6 DNS records. But it’s not “security”, so it won’t have the same effect. 😉
Imho, you didn’t understand how security brings value to a business. You only understood how security needs to be covered technically.
You’re basically missing a set of knowledge you should acquire (and I’m an IT operations guy !) to perform well in these areas. You don’t have to lose customers (even temporarily). Just learn that reputation is an higher risk than technical attack.
Tbh, I’m more in favor of blaming all the banks because SSLv3 was still supported while it should have been decom’ a while ago.
http://frank.be/waarom-poedels-geen-excuus-meer-zijn-voor-banken/
Test in Norway: https://www.aeyoun.com/posts/tls-ratings-norwegian-banks.html
Hello;
Please notice that situation for AXA has changed: AXA Bank (axabank.be): Grade A
(AXA.be is the insurance part today)
You are right. I’ll use “http://www.fe.axa.be” that links to their Homebank/login. However, it still shows “B” here. Axabank is indeed A+ — but it’s clearly running on another server/proxy than their Homebank.
Ingenico payment services (Ogone) is no longer grade c but A- 😉
Great — I’ll update it. 🙂
FREAK attack: https://freakattack.com/
Hi Yeri,
Interesting finding : keytradebank.com became A+ yesterday but it is still using a SHA-1 certificate in its certificate chain. The only thing which changed is that the keychain sent by keytrade does not contain the root CA but just the intermediate CA. However the root CA provided by the trusted store of Qualys is well SHA-1. Seems to be a bug in the Qualys report ?
Another interesting post you could write on your blog regarding the security of the bank concerns the phishing and associated counter-measures (SPF/DKIM/DMARC). You’ll discover interesting things as well.
Cheers, A.
SHA1 doesn’t get punished yet, I believe. They have until end of 2015 (I think) to fix it.
Keytrade’s own certif is correctly using SHA2, it’s the CA record which has a lower bitrate => “Don’t worry if the root certificate uses SHA1; signatures on roots are not used (and Chrome won’t warn about them).” (https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know)
About mail security, I found almost no one is (properly) using it, so I’m guessing none of the banks have the rights records set up. 🙂
* ING: SPF record OK (-all) ; DMARC record OK (reject 100%) ;
* Rabobank : SPF record POK (~all) ; DMARC record NOK (NX) ;
* Triodos : SPF record OK (-all) ; DMARC record NOK (NX) ;
* BNP Paribas Fortis : SPF record POK (~all) ; DMARC record NOK (NX) ;
* Keytrade Bank : SPF record OK (-all) ; DMARC record OK (reject 100%) ;
* Belfius : SPF record OK (-all) ; DMARC POK (none 0%) ;
* Argenta : SPF record POK (~all) ; DMARC POK (none 100%) ;
…etc.
So several banks are doing something but not as good as ING & Keytrade.
Note that for DKIM you’ll need to receive an email from the bank in order to check it.
There is no easy way to find out except if you know in advance which selector (s=) they’re using.
Regards,
A.
You should create a dedicated page/blog for this!
[…] end of year update. No big SSL exploits have been released since (bar DH, see […]
Argenta updated their website recently. It seems much better.