Overview
Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.
Replies:
- ING-DiBa:
- 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")
List
weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.
TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
HSTS long = This server supports HTTP Strict Transport Security with long duration.
| Provider / Link to ssllabs.com
|
Rating
|
Certificate
|
Protocol Support
|
Key Exchange
|
Cipher Strength
|
Messages
|
Comment
|
| meindepot.sbroker.de
|
A+ |
100 |
95 |
100 |
90
|
- TLS_FALLBACK_SCSV
- HSTS long / Grade set to A+.
|
|
| sbroker.de
|
A |
100 |
95 |
100 |
90
|
|
|
| banking.netbank.de
|
A |
100 |
95 |
90 |
90
|
|
|
| consorsbank.de
|
A |
100 |
95 |
90 |
90
|
- weak signature
- TLS_FALLBACK_SCSV
- HSTS long
|
- Server hostname www.cortalconsors.de - not matching certificate common name
|
| kunde.comdirect.de
|
A |
100 |
95 |
80 |
90
|
- weak signature
- TLS_FALLBACK_SCSV
- HSTS long
|
|
| 1822direkt.de
|
A |
100 |
95 |
80 |
90
|
|
|
| dab-bank.de
|
A |
100 |
95 |
80 |
90
|
- weak signature
- TLS_FALLBACK_SCSV
- HSTS long
|
|
| norisbank.de
|
A |
100 |
95 |
90 |
90
|
|
|
| meine.deutsche-bank.de
|
A |
100 |
95 |
80 |
90
|
- weak signature
- TLS_FALLBACK_SCSV
- HSTS long
|
|
| banking.dkb.de
|
A |
100 |
95 |
90 |
90
|
- intermediate weak signature
|
|
| ing-diba.de
|
B |
100 |
95 |
90 |
90
|
- weak signature
- This server accepts the RC4 cipher, which is weak. Grade capped to B.
- There is no support for secure renegotiation.
- The server does not support Forward Secrecy with the reference browsers.
- TLS_FALLBACK_SCSV
- HSTS long
|
|
| banking.ing-diba.de
|
B |
100 |
95 |
80 |
90
|
- weak signature
- This server accepts the RC4 cipher, which is weak. Grade capped to B.
- TLS_FALLBACK_SCSV
- HSTS long
|
|
| targobank.de
|
B |
100 |
70 |
80 |
90
|
- The server supports only older protocols, but not the current best TLS 1.2.
- This server accepts the RC4 cipher, which is weak. Grade capped to B.
- The server does not support Forward Secrecy with the reference browsers.
|
|
| banking.postbank.de
|
C |
100 |
90 |
90 |
90
|
- This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
- weak signature
- This server accepts the RC4 cipher, which is weak. Grade capped to B.
- The server does not support Forward Secrecy with the reference browsers.
- TLS_FALLBACK_SCSV
|
|
| banking.degussa-bank.de
|
F |
100 |
0 |
80 |
90
|
- This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
- This server does not mitigate the CRIME attack. Grade capped to B.
- Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
- The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
- There is no support for secure renegotiation.
- The server does not support Forward Secrecy with the reference browsers.
|
|
Feedback