Minor end of year update. No big SSL exploits have been released since (bar DH, see below).
Once again, this is testing the public websites I can access. There might be other gateways, APIs, etc that are not (as) secure.
It’s worthy to note that some banks are serious about security and fixing their SSL. Most improved their rating and solved all issues (especially getting rid of SHA1 in the chain). However, a couple lowered from B to C (see below). But… No more F’s. 🙂
The noteworthy changers:
- Hello Bank! went from A to B though due to weak DH,
- Triodos lost their Forward Secrecy,
- Optima from F to A(-) (and a bunch others from B to A, and higher),
- A bunch from B to C due to SSLLabs being more severe (see below). Most did solve some of their issues,
- BKCP is doing a lot wrong.
Edit: Tested wrong AXA domain; updated to A+.
Update 11 Jan 2016: ABK & BvB updated to A.
Note that not supporting TLS 1.2 or supporting RC4 capped sites to grade B about a year ago; it now caps to grade C (aka SSLLabs is more severe).
- PSA Bank: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
- beobank: weak DH, no TLS 1.2, RC4 (insecure), no Forward Secrecy, no secure renegotiation.
- BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy, weak DH.