The dutch list consists of 17 banks:
- ABN AMRO
- ASN Bank
- Delta Lloyd
- Nationale Nederlanden (NN)
- NIBC Direct
- Royal Bank of Scotland (RBS)
- Triodos Bank
- Van Lanschot
The Qualys SSL Labs test gives an overall grade, from A to F, but also points out any pressing issues with the SSL configuration. To score well a site must:
- Disable SSL 3 protocol support as it is obselete and insecure
- Support TLS 1.2 as it is the current best protocol
- Have no SHA1 certificates (excluding the root certificate) in the chain as modern browsers will show the site as insecure
- Disable the RC4 cipher as it is a weak cipher
- Support forward secrecy to prevent a compromise of a secure key affecting the confidentiality of past conversations
- Mitigate POODLE attacks, to prevent attackers downgrading secure connections to insecure connections
- To make this as realistic as possible, I’ll be testing the login pages.
The results are as follows:
1 Timed out
The reports on which the above results are based are included as PDF file so a "snapshot" of the SSL test results are available for future reference.
Overall, it's not as bad as the Aussie banks and the Dutch banks seem to score better than the Danish as well, but it's not *that* good. 4 out of 17 banks score a B, we see an A- 6 times (5 banks), 6 times an A and only one A+. Note that ING was tested twice since they have 2 different (sub) domains for commercial and consumer customers. So we should probably congratulate DirektBank as today's winner.
Update: Just discovered more related blogs:
If you find more, please let me know in the comments so I can update the above list!