There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats:
Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result and even if you do, Qualys who runs the service is only checking for publicly accessible information anyway, they’re simply bundling it up into a single test that’s dead easy to run.
But it did get me wondering – how do our local banks actually stack up? Is their SSL solid? And for that matter, is the old adage of “bank grade” security actually something you want to strive for or in the case of SSL, something you really don’t want?
I was genuinely curious so I checked them against the most important attributes Qualys tests for. Here’s how the locals stack up:
Edit 1, 6 May: After seeing this post, AMP has quickly rectified the legacy SSL 3 support and subsequent "F" rating. They now rate an "A-" with SHA1 and forward secrecy.
Edit 2, 6 May: The Greater Building Society has also gone from a C to a B. Way to go yet (RC4 and SHA1), but trending in the right direction.
Edit 3, 12 Dec: Suncorp are now rating "A" with a weak intermediate certificate being the only thing of note reported by SSL Labs.
| Bank | Grade | Still supports SSL 3
|
Still supports SHA1
|
No TLS 1.2 support
|
Still supports RC4
|
Forward secrecy support
|
POODLE vulnerability
|
|---|---|---|---|---|---|---|---|
| Bank West | A | Pass | Pass * | Pass | Pass | Pass | Pass |
| IMB | A | Pass | Pass | Pass | Pass | Pass | Pass |
| Heritage | A- | Pass | Pass * | Pass | Pass | Fail | Pass |
| ING Direct | A- | Pass | Fail | Pass | Pass | Fail | Pass |
| Westpac | A- | Pass | Pass | Pass | Pass | Fail | Pass |
| ANZ | B | Fail | Fail | Fail | Fail | Fail | Pass |
| bankmecu | B | Pass | Fail | Fail | Pass | Fail | Pass |
| Bendigo Bank | B | Pass | Pass | Fail | Pass | Fail | Pass |
| Beyond | B | Pass | Fail | Fail | Pass | Fail | Pass |
| Commonwealth Bank | B | Pass | Fail | Pass | Fail | Fail | Pass |
| CUA | B | Pass | Pass | Pass | Fail | Fail | Pass |
| Newcastle Permanent | B | Pass | Fail | Pass | Fail | Fail | Pass |
| P&N | B | Pass | Fail | Fail | Pass | Fail | Pass |
| People's Choice Credit Union | B | Pass | Fail | Fail | Pass | Fail | Pass |
| St George | B | Fail | Fail | Pass | Fail | Fail | Pass |
| Suncorp | B | Pass | Pass * | Pass | Fail | Fail | Pass |
| Teachers Mutual | B | Pass | Pass | Pass | Fail | Fail | Pass |
| Greater † | C | Fail | Pass | Pass | Fail | Pass | Fail |
| AMP † | F | Fail | Pass * | Pass | Fail | Fail | Fail |
| Bank of Queensland | F | Fail | Pass | Pass | Fail | Fail | Fail |
| Macquarie | F | Fail | Pass * | Pass | Fail | Fail | Fail |
* Intermediate cert still supports SHA1
† Rating now improved, see edit above the table
So we’ve got two banks that actually gets an A grade and kudos to Bank West and IMB for that. They’re the only ones presently supporting forward secrecy – every single other bank is presently missing this… except for Greater which fares quite poorly for other reasons. Heritage, ING Direct and Westpac are the only ones that failed in this area alone, the others are the really worrying ones…
The twelve B grades obviously vary in where they fall down. Most still support RC4 after which there’s a mixed bag of ongoing SSL3 and SHA1 support plus a lack of TLS 1.2 support. All the major browsers have supported 1.2 since early last year so it’s a mystery why so many of them can’t support it in their banking services.
You don’t often see C grades, but Greater manages it due to their POODLE risk. They’re a real odd one actually as they actually support forward secrecy which is unusual in this bunch, so why they’re still supporting SSL 3 is a mystery.
The worrying ones, of course, are those that are still at risk of the POODLE vulnerability. You don’t expect to see this in any website these days, let alone one handling your money. Yes yes, banks have all sorts of other mechanisms in place to mitigate risks but it’s a not a good look when your customer-facing website is at risk of such a well-publicised risk.
So in short, no, “bank grade” is not a virtue when it comes to your SSL implementation. Frankly, it’s disappointing to see them faring so bad regardless of what other downstream protection mechanisms they have. By now, good transport layer security should be the norm for anyone protecting sensitive information but it looks like we still have a way to go in the banking sector down here.