TLS website test - ssllabs.com - banks

From annawiki
Jump to: navigation, search

Overview

Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.

Replies:

  • ING-DiBa:
    • 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")

List

weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.
TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
HSTS long = This server supports HTTP Strict Transport Security with long duration.
Provider / Link to ssllabs.com Rating Certificate Protocol Support Key Exchange Cipher Strength Messages Comment
meindepot.sbroker.de A+ 100 95 100 90
  • TLS_FALLBACK_SCSV
  • HSTS long / Grade set to A+.
  • Key RSA 4096 bits
sbroker.de A 100 95 100 90
  • TLS_FALLBACK_SCSV
  • Key RSA 4096 bits
banking.netbank.de A 100 95 90 90
  • TLS_FALLBACK_SCSV
  • Key RSA 2048 bits
consorsbank.de A 100 95 90 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
  • Server hostname www.cortalconsors.de - not matching certificate common name
kunde.comdirect.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
1822direkt.de A 100 95 80 90
  • TLS_FALLBACK_SCSV
dab-bank.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
norisbank.de A 100 95 90 90
  • weak signature
meine.deutsche-bank.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
banking.dkb.de A 100 95 90 90
  • intermediate weak signature
ing-diba.de B 100 95 90 90
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • There is no support for secure renegotiation.
  • The server does not support Forward Secrecy with the reference browsers.
  • TLS_FALLBACK_SCSV
  • HSTS long


banking.ing-diba.de B 100 95 80 90
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • TLS_FALLBACK_SCSV
  • HSTS long


targobank.de B 100 70 80 90
  • The server supports only older protocols, but not the current best TLS 1.2.
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • The server does not support Forward Secrecy with the reference browsers.
banking.postbank.de C 100 90 90 90
  • This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • The server does not support Forward Secrecy with the reference browsers.
  • TLS_FALLBACK_SCSV
banking.degussa-bank.de F 100 0 80 90
  • This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
  • This server does not mitigate the CRIME attack. Grade capped to B.
  • Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
  • The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
  • There is no support for secure renegotiation.
  • The server does not support Forward Secrecy with the reference browsers.

Feedback