Do you really want "bank grade" security in your SSL? Dutch edition

Inspired by Do you really want "bank grade" security in your SSL? Here’s how Aussie banks fare found on /r/programming I present to you the "Dutch edition". The author used Qualys SSL Labs' SSL test to determine how good banks' SSL implementations really are.

The dutch list consists of 17 banks:

• ABN AMRO
• ASN Bank
• Binck
• Delta Lloyd
• DirektBank
• ING
• KNAB
• Nationale Nederlanden (NN)
• NIBC Direct
• OHRA
• Rabobank
• Regiobank
• Royal Bank of Scotland (RBS)
• SNS
• Triodos Bank
• Van Lanschot
• Zwitserleven

I'll quote Jamie Magee's text, who did a "Danish edition", here as I've used the same approach:

The Qualys SSL Labs test gives an overall grade, from A to F, but also points out any pressing issues with the SSL configuration. To score well a site must:

• Disable SSL 3 protocol support as it is obselete and insecure

• Support TLS 1.2 as it is the current best protocol

• Have no SHA1 certificates (excluding the root certificate) in the chain as modern browsers will show the site as insecure

• Disable the RC4 cipher as it is a weak cipher

• Support forward secrecy to prevent a compromise of a secure key affecting the confidentiality of past conversations

• Mitigate POODLE attacks, to prevent attackers downgrading secure connections to insecure connections

• To make this as realistic as possible, I’ll be testing the login pages.

The results are as follows:

Bank	Grade	SSL 3	TLS 1.2	SHA1	RC4	Forward Secrecy	POODLE
ABN AMRO	B	Pass	Pass	Pass	Fail	Fail	Pass
ASN Bank	A	Pass	Pass	Fail	Pass	Pass	Pass
Binck	A	Pass	Pass	Fail	Pass	Pass	Pass
Delta Lloyd	A	Pass	Pass	Fail	Pass	Pass	Pass
DirektBank	A+	Pass	Pass	Pass	Pass	Pass	Inconclusive1
ING Particulier	A-	Pass	Pass	Fail	Pass	Fail	Pass
ING Zakelijk	A-	Pass	Pass	Fail	Pass	Fail	Pass
KNAB	A-	Pass	Pass	Pass	Pass	Fail	Pass
NN	B	Pass	Pass	Fail	Pass	Fail	Pass
NIBC Direct	B	Pass	Pass	Pass	Fail	Fail	Pass
OHRA	A	Pass	Pass	Fail	Pass	Pass	Pass
Rabobank	A-	Pass	Pass	Fail	Pass	Fail	Pass
Regiobank	A	Pass	Pass	Fail	Pass	Pass	Pass
RBS	A-	Pass	Pass	Fail	Pass	Fail	Inconclusive1
SNS	A	Pass	Pass	Fail	Pass	Pass	Pass
Triodos Bank	A-	Pass	Pass	Pass	Pass	Fail	Pass
Van Lanschot	A-	Pass	Pass	Pass	Pass	Fail	Pass
Zwitserleven	B	Pass	Fail	Fail	Fail	Fail	Pass

¹ Timed out

The reports on which the above results are based are included as PDF file so a "snapshot" of the SSL test results are available for future reference.

Overall, it's not as bad as the Aussie banks and the Dutch banks seem to score better than the Danish as well, but it's not *that* good. 4 out of 17 banks score a B, we see an A- 6 times (5 banks), 6 times an A and only one A+. Note that ING was tested twice since they have 2 different (sub) domains for commercial and consumer customers. So we should probably congratulate DirektBank as today's winner.

Update: Just discovered more related blogs:

1. Australia
2. Denmark (Another one)
3. UK
4. South Africa
5. Netherlands
6. Czech Republic

If you find more, please let me know in the comments so I can update the above list!