Belgian banks & SSL — part 3

EDIT: ING is now A- (not reflected in this blog post).
EDIT 2: Keytrade & Hello Bank also went to A. I’ll post a new blog post later tonight.
EDIT 3: Updated post here.

Part three, or how I single-handedly “fixed” SSL at the Belgian banks. 😉

Part one and two are available here. Not related but useful nonetheless NY Times article about bank hackers.

Argenta promised to fix their SSL, so it’s the time to check everything again.

TL;DR: Only Argenta’s status changed for the better.

Those that did not change:

  • Rabobank: A+
  • Triodos: A+
  • Belfius: A-
  • BNP Paribas Fortis: A-
  • bpost bank: A-
  • AXA: B
  • beobank: B
  • CPH: B
  • KBC: B
  • Keytrade Bank: B
  • Crelan (internet banking): B
  • Hello bank!: C
  • Bank Van Breda (internet banking): C
    • BvB no longer supports secure renegotiation (which, afaik, it did before). However, it’s still rated as C, as this isn’t a real issue.
  • ING: F
  • Record Bank (internet banking): F

Those that did change:

  • Argenta (internet banking): F to B
    • No longer vulnerable to POODLE,
    • Support for protocol downgrade attacks prevention,
    • Still using SSL3 (obsolete and insecure),
    • Weak signature (SHA1),
    • RC4 cipher is supported (insecure),
    • No Forward Secrecy.

Still a little way to go for Argenta, but it’s on the right path.

Those that I hadn’t tested before:


The entire list updated:

Grade A

  • Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Triodos (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Belfius (A-): weak signature (SHA1), no Forward Secrecy.
  • BNP Paribas Fortis: (A-) weak signature (SHA1), no Forward Secrecy.
  • bpost bank: (A-) weak signature (SHA1), no Forward Secrecy.

Grade B

  • Argenta: no SSL on main page.
    • internet banking: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • Keytrade Bank: weak signature (SHA1), RC4 (insecure).
  • VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy
  • Crelan: no SSL on main page.
    • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

  • Hello bank!: vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure).
  • Bank Van Bredano SSL on main page.
    • internet banking: vulnerable to POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation.
  • Ogone: payment facilitator
    • weak signature (SHA1), RC4, vulnerable to POODLE, no Forward Secrecy

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • ABK: SSL2 (insecure), vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure), no Forward Secrecy, no TLS 1.2.
  • ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • MeDirect Bank: vulnerable to POODLE attack, OpenSSL CCS vulnerability (quite bad),
  • Record Bankno SSL on main page.
    • internet banking: vulnerable to POODLE attack, RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Also, shame on you ING. More than any other bank.

Belgian banks & SSL — part 2

I previously wrote about Belgian banks & SSL. Updated version (15/02/2015) here.

Going through my Google Analytics I noticed some noteworthy network domains, which Google discribes as “The fully qualified domain names of your visitors’ Internet service providers (ISPs)”.

Screen Shot 2015-02-01 at 01.35.01Screen Shot 2015-02-01 at 01.35.23Screen Shot 2015-02-01 at 01.35.34Screen Shot 2015-02-01 at 01.36.59Screen Shot 2015-02-01 at 01.37.32

There are a few more (Belgian) government institutions and universities, and the top in the list are “(not set)” and “unknown”.

Clearly some people at the banks read the post during their work time. So it’s only fair to recheck the websites… Here goes:

Those that I hadn’t tested before:

  • CPH: B
  • Record Bank (internet banking): F

Those that did not change:

  • Rabobank: A+
  • Belfius: A-
  • AXA: B
  • beobank: B
  • KBC: B
  • Keytrade Bank: B
  • Crelan (internet banking): B
  • Hello bank!: C
  • Bank Van Breda (internet banking): C
  • ING: F
  • Argenta (internet banking): F

Those that did change:

  • TriodosA to A+
    • downgrade prevention correctly applied.
  • BNP Paribas FortisF to A-
    • No longer vulnerable to POODLE,
    • Disabled SSL3 (insecure),
    • Disabled RC4 (insecure),
    • Still using a weak signature (SHA1),
    • No Forward Secrecy.
  • bpost bankF to A-
    • No longer vulnerable to POODLE,
    • Disabled SSL3 (insecure),
    • Disabled RC4 (insecure),
    • Still using a weak signature (SHA1),
    • No Forward Secrecy.

Huge thumbs up for these last three banks! Well done, especially BNP & bpost! 🙂

Keep on shaming the others.


The entire list updated:

Grade A

  • Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Triodos (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Belfius (A-): weak signature (SHA1), no Forward Secrecy.
  • BNP Paribas Fortis: (A-) weak signature (SHA1), no Forward Secrecy.
  • bpost bank: (A-) weak signature (SHA1), no Forward Secrecy.

Grade B

  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • Keytrade Bank: weak signature (SHA1), RC4 (insecure).
  • Crelan: no SSL on main page.
    • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

  • Hello bank!: vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure).
  • Bank Van Bredano SSL on main page.
    • internet banking: vulnerable to POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • Argentano SSL on main page.
    • internet banking: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • Record Bankno SSL on main page.
    • internet banking: vulnerable to POODLE attack, RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Belgian banks & SSL

Tested using SSL Labs on 20/01/2015. Updated version 01/02/2015 here and 15/02/2015 here.

Only providing the weak points. Once there is one SHA1 key in the chain, I will report everything as weak.

Check SSL Labs for a full report, including what they actually did good (if anything).

Grade A

Grade B

  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • Keytrade Bank: weak signature (SHA1), RC4 (insecure).
  • Crelan: no SSL on main page.
    • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • BNP Paribas Fortis: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • bpost bank: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • Argentano SSL on main page.
    • internet banking: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

PS: none of the domains support IPv6 (while expected, it would have been nice — Belgium has the highest IPv6 adoption rate for end users, but almost no IPv6 websites or businesses).

Office 2010: cannot verify the license for this product

Due to continuous Access errors, I decided to reinstall Office Professional 2010 (64 bit).

As I couldn’t find the original CD key I installed it with, I used another one from another installation. So far so good, installation went fine, etc.

Once I started any Office app, it popped up this error: “Microsoft Office professional plus 2010 cannot verify the license. blablabla useless crap check control panel”

I’ve tried:

  • Reenter CD key (via setup)
  • Repair Office
  • Install every single item I could select during the install
  • Remove office + reinstall office
  • Removed CD key with this
  • Reboot over a zillion times
  • Cursed

None of this worked.

However, this seems to fix it for me:

  1. Open command
  2. cd C:\Program Files\Microsoft Office\Office14
  3. cscript ospp.vbs /act
  4. reopen any Office. No more errors. Yay