Bank Grade Security - Danish bank edition v2

2016-02-03
Programming

In need of something better to do, I thought I would see if any of the Danish Banks have improved their SSL/TLS since last summer. Back then, we saw that the so called “bank grade”-security was generally not that good (at least in terms of SSL/TLS). The results were pretty much consistent with the rest of the world, which was kinda sad. But now we are in 2016, so let us see how the banks fare today.

I have tested all the banks I tested last time, as well as the ones [Jamie Magee][JamieM] tested and I did not.

BankGradeSupports SSL 3Supports SHA1No TLS 1.2Supports RC4Forward SecrecyPOODLE
Jutlander BankA+PassPassPassPassPassPass
Arbejdernes LandsbankAPassPassPassPassPassPass
Vestjysk BankAPassPassPassPassPassPass
NykreditAPassPass*PassPassPassPass
Spar NordAPassPass*PassPassPassPass
Danske BankA-PassPassPassPassFailPass
FinansbankenA-PassPassPassPassFailPass
Jyske BankA-PassPassPassPassFailPass
Lån & Spar BankA-PassPassPassPassFailPass
Nordjyske BankA-PassPassPassPassFailPass
SydbankA-PassPassPassPassFailPass
DLR KreditCFailFailPassFailFailFail**
NordeaCPassPass*FailFailFailPass
  • *Intermediate certificate still supports SHA1
  • **Only SSLv3 vulnerable to POODLE, not TLS

Wow. What an improvement. Back in May, only one bank got an A- and it was the only one to get higher than a B. Now only two banks get less than an A- and there even is one getting an A+. Good job to the teams who have taken action to improve their security and kudos to Jutlander Bank for being the only bank in Denmark (I know about) with an A+ rating.

[JamieM]: https://jamiemagee.co.uk/2015/05/06/do-you-want-bank-grade-ssl-danish-edition/ “Jamie Magee - Do -you really want “bank grade” security in your SSL? Danish edition”
[Dutch]: http://blog.robiii.nl/2015/05/do-you-really-want-bank-grade-security.html “RobIII - Do you really want “bank grade” security in your SSL? Dutch edition”
[Lithuanian]: https://docs.google.com/spreadsheets/d/1ggl-WkbnI3-zd3Rs4SkPIQnUt1I4Vg4vhRL_FQwC7us/edit#gid=0 “Banks in Lithuania”
[BrutalDev]: https://brutaldev.com/post/bank-grade-security---south-african-bank-edition “Brutal Developer - Bank Grade Security - South African bank edition”
[SimonOnline]: http://blog.simontimms.com/2015/05/09/do-you-really-want-bank-grade-security-in-your-ssl/ “Simon Online - Do you really want “bank grade” security in your SSL? Canadian edition”
[IsraeliTweet]: https://twitter.com/omervk/status/598957807862292482 “Twitter - Omer van Kloeten: On the heels of..”