2015-05-08

Do you really want "bank grade" security in your SSL? Dutch edition

Inspired by Do you really want "bank grade" security in your SSL? Here’s how Aussie banks fare found on /r/programming I present to you the "Dutch edition". The author used Qualys SSL Labs' SSL test to determine how good banks' SSL implementations really are.

The dutch list consists of 17 banks:
I'll quote Jamie Magee's text, who did a "Danish edition", here as I've used the same approach:
The Qualys SSL Labs test gives an overall grade, from A to F, but also points out any pressing issues with the SSL configuration. To score well a site must:
  • Disable SSL 3 protocol support as it is obselete and insecure
  • Support TLS 1.2 as it is the current best protocol
  • Have no SHA1 certificates (excluding the root certificate) in the chain as modern browsers will show the site as insecure
  • Disable the RC4 cipher as it is a weak cipher
  • Support forward secrecy to prevent a compromise of a secure key affecting the confidentiality of past conversations
  • Mitigate POODLE attacks, to prevent attackers downgrading secure connections to insecure connections
  • To make this as realistic as possible, I’ll be testing the login pages.

The results are as follows:


Bank Grade SSL
3
TLS
1.2
SHA1 RC4 Forward
Secrecy
POODLE
ABN AMRO B Pass Pass Pass Fail Fail Pass
ASN Bank A Pass Pass Fail Pass Pass Pass
Binck A Pass Pass Fail Pass Pass Pass
Delta Lloyd A Pass Pass Fail Pass Pass Pass
DirektBank A+ Pass Pass Pass Pass Pass Inconclusive1
ING Particulier A- Pass Pass Fail Pass Fail Pass
ING Zakelijk A- Pass Pass Fail Pass Fail Pass
KNAB A- Pass Pass Pass Pass Fail Pass
NN B Pass Pass Fail Pass Fail Pass
NIBC Direct B Pass Pass Pass Fail Fail Pass
OHRA A Pass Pass Fail Pass Pass Pass
Rabobank A- Pass Pass Fail Pass Fail Pass
Regiobank A Pass Pass Fail Pass Pass Pass
RBS A- Pass Pass Fail Pass Fail Inconclusive1
SNS A Pass Pass Fail Pass Pass Pass
Triodos Bank A- Pass Pass Pass Pass Fail Pass
Van Lanschot A- Pass Pass Pass Pass Fail Pass
Zwitserleven B Pass Fail Fail Fail Fail Pass

1 Timed out

The reports on which the above results are based are included as PDF file so a "snapshot" of the SSL test results are available for future reference.

Overall, it's not as bad as the Aussie banks and the Dutch banks seem to score better than the Danish as well, but it's not *that* good. 4 out of 17 banks score a B, we see an A- 6 times (5 banks), 6 times an A and only one A+. Note that ING was tested twice since they have 2 different (sub) domains for commercial and consumer customers. So we should probably congratulate DirektBank as today's winner.

Update: Just discovered more related blogs:
  1. Australia
  2. Denmark (Another one)
  3. UK
  4. South Africa
  5. Netherlands
  6. Czech Republic
If you find more, please let me know in the comments so I can update the above list!