Bank Grade Security - Danish bank edition

2015-05-06
Programming

A few days ago, Troy Hunt published a blog post about various banks and their SSL. Using SSL Labs’ SSL Server Test, he scanned a bunch of Australian banks’ websites and summarized the results. Interestingly, very few banks achieved “all green”. Most banks lack support for Forward Secrecy and many also still support the RC4 cipher suite. A few were even vulnerable to the POODLE vulnerability. These results made me curious about how the Danish banks compare.

I threw a bunch of Danish bank URLs through the SSL Server Test and the results can be seen in the table below. It should be noted that I have taken the URL to the page displaying the NemID login form (a common login platform used by all Danish banks).

Update, 13 May: Finansbanken is no longer vulnerable to POODLE and is now supporting TLS 1.2. This improves their rating to B.

BankGradeSupports SSL 3Supports SHA1No TLS 1.2Supports RC4Forward SecrecyPOODLE
Danske BankA-PassPassPassPassFailPass
Vestjysk BankBFailPassFailFailFailPass
Spar NordBPassPass*PassFailFailPass
Jutlander BankBPassPassFailFailFailPass
Himmerland.dkBFailFailFailFailFailPass
Arbejdernes LandsbankBFailPassFailFailFailPass
Lån & Spar BankBFailFailFailFailFailPass
SydbankFPassPassFailFailFailFail
Nordjyske BankFPassPassFailFailFailFail
FinansbankenFPassPassFailFailFailFail
  • *Intermediate certificate still supports SHA1

Himmerland is actually the “old name” for Jutlander Bank, but it seems like it is still possible to login to their online banking site from the old domain.

These results seem to be consistent with the Aussie banks in Troy Hunt’s post.

Other people had the same thought as I did after reading Troy’s post. Here is a list of posts with results from other countries:

Australian banks: Troy Hunt’s blog
Canadian banks: [Simon Timm’s blog][SimonOnline]
Czech Republic banks: Google Docs document
Danish banks: [Jamie Magee’s blog][JamieM]
- Seems like I wasn’t the only one interested in how the Danish banks fare. There is some overlap but Jamie Magee did test some banks that I have not.
Dutch banks: [Rob Janssen’s blog][Dutch]
Israeli banks: [Tweet from Omer van Kloeten][IsraeliTweet]
Lithuanian banks: [Google Docs document][Lithuanian]
South African banks: Ian Gilfillian’s blog & [Werner van Deventer’s blog][BrutalDev]
UK banks: Wilka Hudson’s blog

[JamieM]: https://jamiemagee.co.uk/2015/05/06/do-you-want-bank-grade-ssl-danish-edition/ “Jamie Magee - Do -you really want “bank grade” security in your SSL? Danish edition”
[Dutch]: http://blog.robiii.nl/2015/05/do-you-really-want-bank-grade-security.html “RobIII - Do you really want “bank grade” security in your SSL? Dutch edition”
[Lithuanian]: https://docs.google.com/spreadsheets/d/1ggl-WkbnI3-zd3Rs4SkPIQnUt1I4Vg4vhRL_FQwC7us/edit#gid=0 “Banks in Lithuania”
[BrutalDev]: https://brutaldev.com/post/bank-grade-security---south-african-bank-edition “Brutal Developer - Bank Grade Security - South African bank edition”
[SimonOnline]: http://blog.simontimms.com/2015/05/09/do-you-really-want-bank-grade-security-in-your-ssl/ “Simon Online - Do you really want “bank grade” security in your SSL? Canadian edition”
[IsraeliTweet]: https://twitter.com/omervk/status/598957807862292482 “Twitter - Omer van Kloeten: On the heels of..”


Comments: