2015-02-25 website test - banks: Difference between revisions
(→A+) |
No edit summary |
||
| Line 93: | Line 93: | ||
* intermediate weak signature | * intermediate weak signature | ||
| | | | ||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=ing-diba.de ing-diba.de] | |||
| B || 100 || 95 || 90 || 90 | |||
| | |||
* weak signature | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* There is no support for secure renegotiation. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.ing-diba.de banking.ing-diba.de] | |||
| B || 100 || 95 || 80 || 90 | |||
| | |||
* weak signature | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* TLS_FALLBACK_SCSV | |||
* HSTS long | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=targobank.de targobank.de] | |||
| B || 100 || 70 || 80 || 90 | |||
| | |||
* The server supports only older protocols, but not the current best TLS 1.2. | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
| | |||
|- | |||
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.postbank.de banking.postbank.de] | |||
| C || 100 || 90 || 90 || 90 | |||
| | |||
* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. | |||
* weak signature | |||
* This server accepts the RC4 cipher, which is weak. Grade capped to B. | |||
* The server does not support Forward Secrecy with the reference browsers. | |||
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. | * TLS_FALLBACK_SCSV | ||
| | |||
|} | |||
Revision as of 2015-02-28T07:48:12
Overview
Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.
Replies:
- ING-DiBa:
- 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")
A
weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain. TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. HSTS long = This server supports HTTP Strict Transport Security with long duration.
| Provider / Link to ssllabs.com | Rating | Certificate | Protocol Support | Key Exchange | Cipher Strength | Messages | Comment |
|---|---|---|---|---|---|---|---|
| meindepot.sbroker.de | A+ | 100 | 95 | 100 | 90 |
|
|
| sbroker.de | A | 100 | 95 | 100 | 90 |
|
|
| banking.netbank.de | A | 100 | 95 | 90 | 90 |
|
|
| consorsbank.de | A | 100 | 95 | 90 | 90 |
|
|
| kunde.comdirect.de | A | 100 | 95 | 80 | 90 |
|
|
| 1822direkt.de | A | 100 | 95 | 80 | 90 |
|
|
| dab-bank.de | A | 100 | 95 | 80 | 90 |
|
|
| norisbank.de | A | 100 | 95 | 90 | 90 |
|
|
| meine.deutsche-bank.de | A | 100 | 95 | 80 | 90 |
|
|
| banking.dkb.de | A | 100 | 95 | 90 | 90 |
|
|
| ing-diba.de | B | 100 | 95 | 90 | 90 |
|
|
| banking.ing-diba.de | B | 100 | 95 | 80 | 90 |
|
|
| targobank.de | B | 100 | 70 | 80 | 90 |
|
|
| banking.postbank.de | C | 100 | 90 | 90 | 90 |
|