In need of something better to do, I thought I would see if any of the Danish Banks have improved their SSL/TLS since last summer. Back then, we saw that the so called “bank grade”-security was generally not that good (at least in terms of SSL/TLS). The results were pretty much consistent with the rest of the world, which was kinda sad. But now we are in 2016, so let us see how the banks fare today.
I have tested all the banks I tested last time, as well as the ones [Jamie Magee][JamieM] tested and I did not.
| Bank | Grade | Supports SSL 3 | Supports SHA1 | No TLS 1.2 | Supports RC4 | Forward Secrecy | POODLE |
|---|---|---|---|---|---|---|---|
| Jutlander Bank | A+ | Pass | Pass | Pass | Pass | Pass | Pass |
| Arbejdernes Landsbank | A | Pass | Pass | Pass | Pass | Pass | Pass |
| Vestjysk Bank | A | Pass | Pass | Pass | Pass | Pass | Pass |
| Nykredit | A | Pass | Pass* | Pass | Pass | Pass | Pass |
| Spar Nord | A | Pass | Pass* | Pass | Pass | Pass | Pass |
| Danske Bank | A- | Pass | Pass | Pass | Pass | Fail | Pass |
| Finansbanken | A- | Pass | Pass | Pass | Pass | Fail | Pass |
| Jyske Bank | A- | Pass | Pass | Pass | Pass | Fail | Pass |
| Lån & Spar Bank | A- | Pass | Pass | Pass | Pass | Fail | Pass |
| Nordjyske Bank | A- | Pass | Pass | Pass | Pass | Fail | Pass |
| Sydbank | A- | Pass | Pass | Pass | Pass | Fail | Pass |
| DLR Kredit | C | Fail | Fail | Pass | Fail | Fail | Fail** |
| Nordea | C | Pass | Pass* | Fail | Fail | Fail | Pass |
- *Intermediate certificate still supports SHA1
- **Only SSLv3 vulnerable to POODLE, not TLS
Wow. What an improvement. Back in May, only one bank got an A- and it was the only one to get higher than a B. Now only two banks get less than an A- and there even is one getting an A+. Good job to the teams who have taken action to improve their security and kudos to Jutlander Bank for being the only bank in Denmark (I know about) with an A+ rating.
[JamieM]: https://jamiemagee.co.uk/2015/05/06/do-you-want-bank-grade-ssl-danish-edition/ “Jamie Magee - Do -you really want “bank grade” security in your SSL? Danish edition”
[Dutch]: http://blog.robiii.nl/2015/05/do-you-really-want-bank-grade-security.html “RobIII - Do you really want “bank grade” security in your SSL? Dutch edition”
[Lithuanian]: https://docs.google.com/spreadsheets/d/1ggl-WkbnI3-zd3Rs4SkPIQnUt1I4Vg4vhRL_FQwC7us/edit#gid=0 “Banks in Lithuania”
[BrutalDev]: https://brutaldev.com/post/bank-grade-security---south-african-bank-edition “Brutal Developer - Bank Grade Security - South African bank edition”
[SimonOnline]: http://blog.simontimms.com/2015/05/09/do-you-really-want-bank-grade-security-in-your-ssl/ “Simon Online - Do you really want “bank grade” security in your SSL? Canadian edition”
[IsraeliTweet]: https://twitter.com/omervk/status/598957807862292482 “Twitter - Omer van Kloeten: On the heels of..”