2015-02-25 website test - banks: Difference between revisions
(→A) |
m (Tobiasco moved page TLS website test - ssllabs.com - banks to 2015-02-25 website test - banks without leaving a redirect) |
||
(8 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
** 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit") | ** 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit") | ||
== | ==List== | ||
weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. | weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. | ||
intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain. | intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain. | ||
Line 32: | Line 20: | ||
! Messages | ! Messages | ||
! Comment | ! Comment | ||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=meindepot.sbroker.de meindepot.sbroker.de] | |||
| A+ || 100 || 95 || 100 || 90 | |||
| | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long / Grade set to A+. | |||
| | |||
* Key RSA 4096 bits | |||
|- | |- | ||
| [https://www.ssllabs.com/ssltest/analyze.html?d=sbroker.de sbroker.de] | | [https://www.ssllabs.com/ssltest/analyze.html?d=sbroker.de sbroker.de] | ||
Line 38: | Line 34: | ||
* TLS_FALLBACK_SCSV | * TLS_FALLBACK_SCSV | ||
| | | | ||
* RSA 4096 bits | * Key RSA 4096 bits | ||
|- | |- | ||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.netbank.de banking.netbank.de] | | [https://www.ssllabs.com/ssltest/analyze.html?d=banking.netbank.de banking.netbank.de] | ||
Line 97: | Line 93: | ||
* intermediate weak signature | * intermediate weak signature | ||
| | | | ||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=ing-diba.de ing-diba.de] | |||
| B || 100 || 95 || 90 || 90 | |||
| | |||
* weak signature | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* There is no support for secure renegotiation. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.ing-diba.de banking.ing-diba.de] | |||
* https://www.ssllabs.com/ssltest/analyze.html?d= | | B || 100 || 95 || 80 || 90 | ||
| | |||
* weak signature | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long | |||
| | |||
This server | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=targobank.de targobank.de] | |||
| B || 100 || 70 || 80 || 90 | |||
| | |||
* The server supports only older protocols, but not the current best TLS 1.2. | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.postbank.de banking.postbank.de] | |||
| C || 100 || 90 || 90 || 90 | |||
| | |||
* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. | |||
* weak signature | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
* TLS_FALLBACK_SCSV | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.degussa-bank.de banking.degussa-bank.de] | |||
| F || 100 || 0 || 80 || 90 | |||
| | |||
* This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F. | |||
* This server does not mitigate the CRIME attack. Grade capped to B. | |||
* Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. | |||
* The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. | |||
* There is no support for secure renegotiation. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
| | |||
|} | |||
== | ==Feedback== | ||
* http://www.heise.de/security/news/foren/S-unbedingt-lesenswert/forum-293111/msg-26583341/read/MD5-2bc10b84b3a86a7df437ed025fd4bdb7 - Degussa reported as "F" | |||
* | |||
Latest revision as of 2021-01-01T02:27:47
Overview
Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.
Replies:
- ING-DiBa:
- 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")
List
weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain. TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. HSTS long = This server supports HTTP Strict Transport Security with long duration.
Provider / Link to ssllabs.com | Rating | Certificate | Protocol Support | Key Exchange | Cipher Strength | Messages | Comment |
---|---|---|---|---|---|---|---|
meindepot.sbroker.de | A+ | 100 | 95 | 100 | 90 |
|
|
sbroker.de | A | 100 | 95 | 100 | 90 |
|
|
banking.netbank.de | A | 100 | 95 | 90 | 90 |
|
|
consorsbank.de | A | 100 | 95 | 90 | 90 |
|
|
kunde.comdirect.de | A | 100 | 95 | 80 | 90 |
|
|
1822direkt.de | A | 100 | 95 | 80 | 90 |
|
|
dab-bank.de | A | 100 | 95 | 80 | 90 |
|
|
norisbank.de | A | 100 | 95 | 90 | 90 |
|
|
meine.deutsche-bank.de | A | 100 | 95 | 80 | 90 |
|
|
banking.dkb.de | A | 100 | 95 | 90 | 90 |
|
|
ing-diba.de | B | 100 | 95 | 90 | 90 |
|
|
banking.ing-diba.de | B | 100 | 95 | 80 | 90 |
|
|
targobank.de | B | 100 | 70 | 80 | 90 |
|
|
banking.postbank.de | C | 100 | 90 | 90 | 90 |
|
|
banking.degussa-bank.de | F | 100 | 0 | 80 | 90 |
|