2015-02-25 website test - banks: Difference between revisions
(Created page with " * https://www.ssllabs.com/ssltest/analyze.html?d=dab-bank.de A Certificate 100 Protocol Support 95 Key Exchange 80 Cipher Strength 90 Certificate uses a weak signature...") |
m (Tobiasco moved page TLS website test - ssllabs.com - banks to 2015-02-25 website test - banks without leaving a redirect) |
||
(35 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Overview== | |||
Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating. | |||
Replies: | |||
* ING-DiBa: | |||
** 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit") | |||
* https://www.ssllabs.com/ssltest/analyze.html?d=dab-bank.de | ==List== | ||
weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. | |||
intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain. | |||
TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. | |||
HSTS long = This server supports HTTP Strict Transport Security with long duration. | |||
{| class="wikitable sortable" | |||
! Provider / Link to ssllabs.com | |||
! Rating | |||
! Certificate | |||
! Protocol Support | |||
! Key Exchange | |||
! Cipher Strength | |||
! Messages | |||
! Comment | |||
|- | |||
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. | | [https://www.ssllabs.com/ssltest/analyze.html?d=meindepot.sbroker.de meindepot.sbroker.de] | ||
| A+ || 100 || 95 || 100 || 90 | |||
| | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long / Grade set to A+. | |||
| | |||
* Key RSA 4096 bits | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=sbroker.de sbroker.de] | |||
| A || 100 || 95 || 100 || 90 | |||
| | |||
* TLS_FALLBACK_SCSV | |||
| | |||
* Key RSA 4096 bits | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.netbank.de banking.netbank.de] | |||
| A || 100 || 95 || 90 || 90 | |||
| | |||
* TLS_FALLBACK_SCSV | |||
| | |||
* Key RSA 2048 bits | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=consorsbank.de consorsbank.de] | |||
| A || 100 || 95 || 90 || 90 | |||
| | |||
* weak signature | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long | |||
| | |||
*Server hostname www.cortalconsors.de - not matching certificate common name | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=kunde.comdirect.de kunde.comdirect.de] | |||
| A || 100 || 95 || 80 || 90 | |||
| | |||
* weak signature | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=1822direkt.de 1822direkt.de] | |||
| A || 100 || 95 || 80 || 90 | |||
| | |||
* TLS_FALLBACK_SCSV | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=dab-bank.de dab-bank.de] | |||
| A || 100 || 95 || 80 || 90 | |||
| | |||
* weak signature | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=norisbank.de norisbank.de] | |||
| A || 100 || 95 || 90 || 90 | |||
| | |||
* weak signature | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=meine.deutsche-bank.de meine.deutsche-bank.de] | |||
| A || 100 || 95 || 80 || 90 | |||
| | |||
* weak signature | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.dkb.de banking.dkb.de] | |||
| A || 100 || 95 || 90 || 90 | |||
| | |||
* intermediate weak signature | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=ing-diba.de ing-diba.de] | |||
| B || 100 || 95 || 90 || 90 | |||
| | |||
* weak signature | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* There is no support for secure renegotiation. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.ing-diba.de banking.ing-diba.de] | |||
| B || 100 || 95 || 80 || 90 | |||
| | |||
* weak signature | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=targobank.de targobank.de] | |||
| B || 100 || 70 || 80 || 90 | |||
| | |||
* The server supports only older protocols, but not the current best TLS 1.2. | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.postbank.de banking.postbank.de] | |||
| C || 100 || 90 || 90 || 90 | |||
| | |||
* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. | |||
* weak signature | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
* TLS_FALLBACK_SCSV | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.degussa-bank.de banking.degussa-bank.de] | |||
| F || 100 || 0 || 80 || 90 | |||
| | |||
* This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F. | |||
* This server does not mitigate the CRIME attack. Grade capped to B. | |||
* Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. | |||
* The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. | |||
* There is no support for secure renegotiation. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
| | |||
|} | |||
==Feedback== | |||
* http://www.heise.de/security/news/foren/S-unbedingt-lesenswert/forum-293111/msg-26583341/read/MD5-2bc10b84b3a86a7df437ed025fd4bdb7 - Degussa reported as "F" |
Latest revision as of 2021-01-01T02:27:47
Overview
Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.
Replies:
- ING-DiBa:
- 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")
List
weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain. TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. HSTS long = This server supports HTTP Strict Transport Security with long duration.
Provider / Link to ssllabs.com | Rating | Certificate | Protocol Support | Key Exchange | Cipher Strength | Messages | Comment |
---|---|---|---|---|---|---|---|
meindepot.sbroker.de | A+ | 100 | 95 | 100 | 90 |
|
|
sbroker.de | A | 100 | 95 | 100 | 90 |
|
|
banking.netbank.de | A | 100 | 95 | 90 | 90 |
|
|
consorsbank.de | A | 100 | 95 | 90 | 90 |
|
|
kunde.comdirect.de | A | 100 | 95 | 80 | 90 |
|
|
1822direkt.de | A | 100 | 95 | 80 | 90 |
|
|
dab-bank.de | A | 100 | 95 | 80 | 90 |
|
|
norisbank.de | A | 100 | 95 | 90 | 90 |
|
|
meine.deutsche-bank.de | A | 100 | 95 | 80 | 90 |
|
|
banking.dkb.de | A | 100 | 95 | 90 | 90 |
|
|
ing-diba.de | B | 100 | 95 | 90 | 90 |
|
|
banking.ing-diba.de | B | 100 | 95 | 80 | 90 |
|
|
targobank.de | B | 100 | 70 | 80 | 90 |
|
|
banking.postbank.de | C | 100 | 90 | 90 | 90 |
|
|
banking.degussa-bank.de | F | 100 | 0 | 80 | 90 |
|