2015-02-25 website test - banks: Difference between revisions

From annawiki
No edit summary
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Overview==
Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.


==A+==
Replies:
===tango.info===
* ING-DiBa:
None of the banks tested reached A+, so as comparison provide data for tango.info.
** 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")


https://www.ssllabs.com/ssltest/analyze.html?d=tango.info
==List==
Certificate 100
Protocol Support 95
Key Exchange 90
Cipher Strength 100
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
This server supports HTTP Strict Transport Security with long duration. Grade set to A+.
 
==A==
  weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
  weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
  intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.
  intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.
Line 26: Line 20:
! Messages
! Messages
! Comment
! Comment
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=meindepot.sbroker.de meindepot.sbroker.de]
| A+ || 100 || 95 || 100 || 90
|
* TLS_FALLBACK_SCSV
* HSTS long / Grade set to A+.
|
* Key RSA 4096 bits
|-
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=sbroker.de sbroker.de]
| [https://www.ssllabs.com/ssltest/analyze.html?d=sbroker.de sbroker.de]
Line 32: Line 34:
* TLS_FALLBACK_SCSV
* TLS_FALLBACK_SCSV
|
|
* Key RSA 4096 bits
|-
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.netbank.de banking.netbank.de]
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.netbank.de banking.netbank.de]
Line 38: Line 41:
* TLS_FALLBACK_SCSV
* TLS_FALLBACK_SCSV
|
|
* Key RSA 2048 bits
|-
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=consorsbank.de consorsbank.de]
| [https://www.ssllabs.com/ssltest/analyze.html?d=consorsbank.de consorsbank.de]
Line 89: Line 93:
* intermediate weak signature
* intermediate weak signature
|
|
|}


==B==
|-
===ing-diba.de===
| [https://www.ssllabs.com/ssltest/analyze.html?d=ing-diba.de ing-diba.de]
* https://www.ssllabs.com/ssltest/analyze.html?d=ing-diba.de&s=23.34.147.181
| B || 100 || 95 || 90 || 90
B
|
Certificate 100
* weak signature
Protocol Support 95
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
Key Exchange 90
* There is no support for secure renegotiation.
Cipher Strength 90
* The server does not support Forward Secrecy with the reference browsers.
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
* TLS_FALLBACK_SCSV
This server accepts the RC4 cipher, which is weak. Grade capped to B.
* HSTS long
There is no support for secure renegotiation.
|
The server does not support Forward Secrecy with the reference browsers.
 
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
 
This server supports HTTP Strict Transport Security with long duration.
|-
===banking.ing-diba.de===
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.ing-diba.de banking.ing-diba.de]
* https://www.ssllabs.com/ssltest/analyze.html?d=banking.ing-diba.de
| B || 100 || 95 || 80 || 90
Certificate 100
|
Protocol Support 95
* weak signature
Key Exchange 80
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
Cipher Strength 90
* TLS_FALLBACK_SCSV
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.  MORE INFO »
* HSTS long
This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO »
|
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
 
This server supports HTTP Strict Transport Security with long duration.  MORE INFO »


===targobank.de===
|-
* https://www.ssllabs.com/ssltest/analyze.html?d=targobank.de
| [https://www.ssllabs.com/ssltest/analyze.html?d=targobank.de targobank.de]
Certificate 100
| B || 100 || 70 || 80 || 90
Protocol Support 70
|
Key Exchange 80
* The server supports only older protocols, but not the current best TLS 1.2.
Cipher Strength 90
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2.
* The server does not support Forward Secrecy with the reference browsers.
  This server accepts the RC4 cipher, which is weak. Grade capped to B.
|
The server does not support Forward Secrecy with the reference browsers.
 
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.postbank.de banking.postbank.de]
| C || 100 || 90 || 90 || 90
|
* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
* weak signature
* This server accepts the RC4 cipher, which is weak. Grade capped to B.
* The server does not support Forward Secrecy with the reference browsers.
* TLS_FALLBACK_SCSV
|
 
|-
| [https://www.ssllabs.com/ssltest/analyze.html?d=banking.degussa-bank.de banking.degussa-bank.de]
| F || 100 || 0 || 80 || 90
|
* This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
* This server does not mitigate the CRIME attack. Grade capped to B.
* Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
* The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
* There is no support for secure renegotiation.
* The server does not support Forward Secrecy with the reference browsers.
|
|}


==C==
==Feedback==
===banking.postbank.de===
* http://www.heise.de/security/news/foren/S-unbedingt-lesenswert/forum-293111/msg-26583341/read/MD5-2bc10b84b3a86a7df437ed025fd4bdb7 - Degussa reported as "F"
* https://www.ssllabs.com/ssltest/analyze.html?d=banking.postbank.de
C
Certificate 100
Protocol Support 90
Key Exchange 90
Cipher Strength 90
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
This server accepts the RC4 cipher, which is weak. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.

Revision as of 2017-09-07T00:57:00

Overview

Big fail: ING Diba, Targobank, Postbank - they didn't even get an "A"-rating.

Replies:

  • ING-DiBa:
    • 2015-02-25 - will not change. Attack is only "theoretical possibility" - ("ist der unbefugte Zugriff bisher nur eine theoretische Möglichkeit")

List

weak signature = Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
intermediate weak signature = Intermediate certificate has a weak signature. When renewing, ensure you upgrade to an all-SHA2 chain.
TLS_FALLBACK_SCSV = This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
HSTS long = This server supports HTTP Strict Transport Security with long duration.
Provider / Link to ssllabs.com Rating Certificate Protocol Support Key Exchange Cipher Strength Messages Comment
meindepot.sbroker.de A+ 100 95 100 90
  • TLS_FALLBACK_SCSV
  • HSTS long / Grade set to A+.
  • Key RSA 4096 bits
sbroker.de A 100 95 100 90
  • TLS_FALLBACK_SCSV
  • Key RSA 4096 bits
banking.netbank.de A 100 95 90 90
  • TLS_FALLBACK_SCSV
  • Key RSA 2048 bits
consorsbank.de A 100 95 90 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
  • Server hostname www.cortalconsors.de - not matching certificate common name
kunde.comdirect.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
1822direkt.de A 100 95 80 90
  • TLS_FALLBACK_SCSV
dab-bank.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
norisbank.de A 100 95 90 90
  • weak signature
meine.deutsche-bank.de A 100 95 80 90
  • weak signature
  • TLS_FALLBACK_SCSV
  • HSTS long
banking.dkb.de A 100 95 90 90
  • intermediate weak signature
ing-diba.de B 100 95 90 90
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • There is no support for secure renegotiation.
  • The server does not support Forward Secrecy with the reference browsers.
  • TLS_FALLBACK_SCSV
  • HSTS long


banking.ing-diba.de B 100 95 80 90
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • TLS_FALLBACK_SCSV
  • HSTS long


targobank.de B 100 70 80 90
  • The server supports only older protocols, but not the current best TLS 1.2.
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • The server does not support Forward Secrecy with the reference browsers.
banking.postbank.de C 100 90 90 90
  • This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
  • weak signature
  • This server accepts the RC4 cipher, which is weak. Grade capped to B.
  • The server does not support Forward Secrecy with the reference browsers.
  • TLS_FALLBACK_SCSV
banking.degussa-bank.de F 100 0 80 90
  • This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.
  • This server does not mitigate the CRIME attack. Grade capped to B.
  • Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
  • The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
  • There is no support for secure renegotiation.
  • The server does not support Forward Secrecy with the reference browsers.

Feedback