2015-02-25 website test - banks: Difference between revisions

From annawiki
No edit summary
(27 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Overview==
Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.


==A==
Replies:
===dab-bank.de===
* ING-DiBa:  
* https://www.ssllabs.com/ssltest/analyze.html?d=dab-bank.de
** 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")
A
Certificate 100
Protocol Support 95
Key Exchange 80
Cipher Strength 90
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
This server supports HTTP Strict Transport Security with long duration.
===banking.netbank.de===
* https://www.ssllabs.com/ssltest/analyze.html?d=banking.netbank.de
A
Certificate 100
Protocol Support 95
Key Exchange 90
Cipher Strength 90
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
===consorsbank.de===
* https://www.ssllabs.com/ssltest/analyze.html?d=consorsbank.de
A
Certificate 100
Protocol Support 95
Key Exchange 90
Cipher Strength 90
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
This server supports HTTP Strict Transport Security with long duration.


==B==
==List==
===ing-diba.de===
weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
* https://www.ssllabs.com/ssltest/analyze.html?d=ing-diba.de&s=23.34.147.181
intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.
B
TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
Certificate 100
HSTS long = This server supports HTTP Strict Transport Security with long duration.
Protocol Support 95
{| class="wikitable sortable"
Key Exchange 90
! Provider / Link to ssllabs.com
Cipher Strength 90
! Rating
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
! Certificate
This server accepts the RC4 cipher, which is weak. Grade capped to B.
! Protocol Support
There is no support for secure renegotiation.
! Key Exchange
The server does not support Forward Secrecy with the reference browsers.
! Cipher Strength
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
! Messages
This server supports HTTP Strict Transport Security with long duration.
! Comment
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=meindepot.sbroker.de meindepot.sbroker.de]
| A+ || 100 || 95 || 100 || 90
|
* TLS_FALLBACK_SCSV
* HSTS long / Grade set to A+.
|
* Key RSA 4096 bits
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=sbroker.de sbroker.de]
| A || 100 || 95 || 100 || 90
|
* TLS_FALLBACK_SCSV
|
* Key RSA 4096 bits
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.netbank.de banking.netbank.de]
| A || 100 || 95 || 90 || 90
|
* TLS_FALLBACK_SCSV
|
* Key RSA 2048 bits
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=consorsbank.de consorsbank.de]
| A || 100 || 95 || 90 || 90
|
* weak signature
* TLS_FALLBACK_SCSV
* HSTS long
|
*Server hostname www.cortalconsors.de - not matching certificate common name
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=kunde.comdirect.de kunde.comdirect.de]
| A || 100 || 95 || 80 || 90
|
* weak signature
* TLS_FALLBACK_SCSV
* HSTS long
|
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=1822direkt.de 1822direkt.de]
| A || 100 || 95 || 80 || 90
|
* TLS_FALLBACK_SCSV
|
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=dab-bank.de dab-bank.de]
| A || 100 || 95 || 80 || 90
|
* weak signature
* TLS_FALLBACK_SCSV
* HSTS long
|
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=norisbank.de norisbank.de]
| A || 100 || 95 || 90 || 90
|
* weak signature
|
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=meine.deutsche-bank.de meine.deutsche-bank.de]
| A || 100 || 95 || 80 || 90
|
* weak signature
* TLS_FALLBACK_SCSV
* HSTS long
|
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.dkb.de banking.dkb.de]
| A || 100 || 95 || 90 || 90
|
* intermediate weak signature
|


==C==
|-
===banking.postbank.de===
| [https://www.ssllabs.com/ssltest/analyze.html?d=ing-diba.de ing-diba.de]
* https://www.ssllabs.com/ssltest/analyze.html?d=banking.postbank.de
| B || 100 || 95 || 90 || 90
C
|
Certificate 100
* weak signature
Protocol Support 90
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
Key Exchange 90
* There is no support for secure renegotiation.
Cipher Strength 90
* The server does not support Forward Secrecy with the reference browsers.
  This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
* TLS_FALLBACK_SCSV
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
* HSTS long
This server accepts the RC4 cipher, which is weak. Grade capped to B.
|
The server does not support Forward Secrecy with the reference browsers.
 
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
 
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.ing-diba.de banking.ing-diba.de]
| B || 100 || 95 || 80 || 90
|
* weak signature
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
* TLS_FALLBACK_SCSV
* HSTS long
|
 
 
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=targobank.de targobank.de]
| B || 100 || 70 || 80 || 90
|
* The server supports only older protocols, but not the current best TLS 1.2.
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
* The server does not support Forward Secrecy with the reference browsers.
|
 
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.postbank.de banking.postbank.de]
| C || 100 || 90 || 90 || 90
|
* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
* weak signature
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
* The server does not support Forward Secrecy with the reference browsers.
* TLS_FALLBACK_SCSV
|
 
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.degussa-bank.de banking.degussa-bank.de]
| F || 100 || 0 || 80 || 90
|
* This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
* This server does not mitigate the CRIME attack. Grade capped to B.
* Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
* The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
* There is no support for secure renegotiation.
* The server does not support Forward Secrecy with the reference browsers.
|
|}
 
==Feedback==
* http://www.heise.de/security/news/foren/S-unbedingt-lesenswert/forum-293111/msg-26583341/read/MD5-2bc10b84b3a86a7df437ed025fd4bdb7 - Degussa reported as "F"

Revision as of 2017-09-07T00:57:00

Overview

Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.

Replies:

  • ING-DiBa:
    • 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")

List

weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.
TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
HSTS long = This server supports HTTP Strict Transport Security with long duration.
Provider / Link to ssllabs.com Rating Certificate Protocol Support Key Exchange Cipher Strength Messages Comment
meindepot.sbroker.de A+ 100 95 100 90
  • TLS_FALLBACK_SCSV
  • HSTS long / Grade set to A+.
  • Key RSA 4096 bits
sbroker.de A 100 95 100 90
  • TLS_FALLBACK_SCSV
  • Key RSA 4096 bits
banking.netbank.de A 100 95 90 90
  • TLS_FALLBACK_SCSV
  • Key RSA 2048 bits
consorsbank.de A 100 95 90 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
  • Server hostname www.cortalconsors.de - not matching certificate common name
kunde.comdirect.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
1822direkt.de A 100 95 80 90
  • TLS_FALLBACK_SCSV
dab-bank.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
norisbank.de A 100 95 90 90
  • weak signature
meine.deutsche-bank.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
banking.dkb.de A 100 95 90 90
  • intermediate weak signature
ing-diba.de B 100 95 90 90
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • There is no support for secure renegotiation.
  • The server does not support Forward Secrecy with the reference browsers.
  • TLS_FALLBACK_SCSV
  • HSTS long


banking.ing-diba.de B 100 95 80 90
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • TLS_FALLBACK_SCSV
  • HSTS long


targobank.de B 100 70 80 90
  • The server supports only older protocols, but not the current best TLS 1.2.
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • The server does not support Forward Secrecy with the reference browsers.
banking.postbank.de C 100 90 90 90
  • This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • The server does not support Forward Secrecy with the reference browsers.
  • TLS_FALLBACK_SCSV
banking.degussa-bank.de F 100 0 80 90
  • This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
  • This server does not mitigate the CRIME attack. Grade capped to B.
  • Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
  • The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
  • There is no support for secure renegotiation.
  • The server does not support Forward Secrecy with the reference browsers.

Feedback