2015-02-25 website test - banks: Difference between revisions

From annawiki
No edit summary
(31 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Overview==
Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.


Replies:
* ING-DiBa:
** 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")


* https://www.ssllabs.com/ssltest/analyze.html?d=dab-bank.de
==List==
A
  weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
  Certificate 100
  intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.
  Protocol Support 95
  TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
Key Exchange 80
  HSTS long = This server supports HTTP Strict Transport Security with long duration.
Cipher Strength 90
{| class="wikitable sortable"
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
! Provider / Link to ssllabs.com
  This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
! Rating
  This server supports HTTP Strict Transport Security with long duration.
! Certificate
* https://www.ssllabs.com/ssltest/analyze.html?d=banking.postbank.de
! Protocol Support
C
! Key Exchange
Certificate 100
! Cipher Strength
Protocol Support 90
! Messages
Key Exchange 90
! Comment
Cipher Strength 90
|-
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
| [https://www.ssllabs.com/ssltest/analyze.html?d=meindepot.sbroker.de meindepot.sbroker.de]
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
| A+ || 100 || 95 || 100 || 90
This server accepts the RC4 cipher, which is weak. Grade capped to B.
|
The server does not support Forward Secrecy with the reference browsers.
* TLS_FALLBACK_SCSV
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
* HSTS long / Grade set to A+.
* https://www.ssllabs.com/ssltest/analyze.html?d=ing-diba.de&s=23.34.147.181
|
B
* Key RSA 4096 bits
Certificate 100
|-
Protocol Support 95
| [https://www.ssllabs.com/ssltest/analyze.html?d=sbroker.de sbroker.de]
Key Exchange 90
| A || 100 || 95 || 100 || 90
Cipher Strength 90
|
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
* TLS_FALLBACK_SCSV
This server accepts the RC4 cipher, which is weak. Grade capped to B.
|
There is no support for secure renegotiation.
* Key RSA 4096 bits
The server does not support Forward Secrecy with the reference browsers.
|-
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.netbank.de banking.netbank.de]
This server supports HTTP Strict Transport Security with long duration.
| A || 100 || 95 || 90 || 90
|
* TLS_FALLBACK_SCSV
|
* Key RSA 2048 bits
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=consorsbank.de consorsbank.de]
| A || 100 || 95 || 90 || 90
|
* weak signature
* TLS_FALLBACK_SCSV
* HSTS long
|
*Server hostname www.cortalconsors.de - not matching certificate common name
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=kunde.comdirect.de kunde.comdirect.de]
| A || 100 || 95 || 80 || 90
|
* weak signature
* TLS_FALLBACK_SCSV
* HSTS long
|
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=1822direkt.de 1822direkt.de]
| A || 100 || 95 || 80 || 90
|
* TLS_FALLBACK_SCSV
|
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=dab-bank.de dab-bank.de]
| A || 100 || 95 || 80 || 90
|
* weak signature
* TLS_FALLBACK_SCSV
* HSTS long
|
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=norisbank.de norisbank.de]
| A || 100 || 95 || 90 || 90
|
* weak signature
|
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=meine.deutsche-bank.de meine.deutsche-bank.de]
| A || 100 || 95 || 80 || 90
|
* weak signature
* TLS_FALLBACK_SCSV
* HSTS long
|
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.dkb.de banking.dkb.de]
| A || 100 || 95 || 90 || 90
|
* intermediate weak signature
|


* https://www.ssllabs.com/ssltest/analyze.html?d=banking.netbank.de
|-
A
| [https://www.ssllabs.com/ssltest/analyze.html?d=ing-diba.de ing-diba.de]
Certificate 100
| B || 100 || 95 || 90 || 90
Protocol Support 95
|
Key Exchange 90
* weak signature
  Cipher Strength 90
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
* There is no support for secure renegotiation.
* The server does not support Forward Secrecy with the reference browsers.
* TLS_FALLBACK_SCSV
* HSTS long
|
 
 
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.ing-diba.de banking.ing-diba.de]
| B || 100 || 95 || 80 || 90
|
* weak signature
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
* TLS_FALLBACK_SCSV
* HSTS long
|
 
 
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=targobank.de targobank.de]
| B || 100 || 70 || 80 || 90
|
* The server supports only older protocols, but not the current best TLS 1.2.
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
* The server does not support Forward Secrecy with the reference browsers.
|
 
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.postbank.de banking.postbank.de]
| C || 100 || 90 || 90 || 90
|
* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
* weak signature
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
* The server does not support Forward Secrecy with the reference browsers.
* TLS_FALLBACK_SCSV
|
 
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.degussa-bank.de banking.degussa-bank.de]
| F || 100 || 0 || 80 || 90
|
* This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
* This server does not mitigate the CRIME attack. Grade capped to B.
* Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
* The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
* There is no support for secure renegotiation.
* The server does not support Forward Secrecy with the reference browsers.
|
|}
 
==Feedback==
* http://www.heise.de/security/news/foren/S-unbedingt-lesenswert/forum-293111/msg-26583341/read/MD5-2bc10b84b3a86a7df437ed025fd4bdb7 - Degussa reported as "F"

Revision as of 2017-09-07T01:57:00

Overview

Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.

Replies:

  • ING-DiBa:
    • 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")

List

weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.
TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
HSTS long = This server supports HTTP Strict Transport Security with long duration.
Provider / Link to ssllabs.com Rating Certificate Protocol Support Key Exchange Cipher Strength Messages Comment
meindepot.sbroker.de A+ 100 95 100 90
  • TLS_FALLBACK_SCSV
  • HSTS long / Grade set to A+.
  • Key RSA 4096 bits
sbroker.de A 100 95 100 90
  • TLS_FALLBACK_SCSV
  • Key RSA 4096 bits
banking.netbank.de A 100 95 90 90
  • TLS_FALLBACK_SCSV
  • Key RSA 2048 bits
consorsbank.de A 100 95 90 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
  • Server hostname www.cortalconsors.de - not matching certificate common name
kunde.comdirect.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
1822direkt.de A 100 95 80 90
  • TLS_FALLBACK_SCSV
dab-bank.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
norisbank.de A 100 95 90 90
  • weak signature
meine.deutsche-bank.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
banking.dkb.de A 100 95 90 90
  • intermediate weak signature
ing-diba.de B 100 95 90 90
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • There is no support for secure renegotiation.
  • The server does not support Forward Secrecy with the reference browsers.
  • TLS_FALLBACK_SCSV
  • HSTS long


banking.ing-diba.de B 100 95 80 90
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • TLS_FALLBACK_SCSV
  • HSTS long


targobank.de B 100 70 80 90
  • The server supports only older protocols, but not the current best TLS 1.2.
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • The server does not support Forward Secrecy with the reference browsers.
banking.postbank.de C 100 90 90 90
  • This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • The server does not support Forward Secrecy with the reference browsers.
  • TLS_FALLBACK_SCSV
banking.degussa-bank.de F 100 0 80 90
  • This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
  • This server does not mitigate the CRIME attack. Grade capped to B.
  • Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
  • The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
  • There is no support for secure renegotiation.
  • The server does not support Forward Secrecy with the reference browsers.

Feedback

Retrieved from "http://anna.info/x/wiki/w/index.php?title=2015-02-25_website_test_-_banks&oldid=5306"