Do you really want “bank grade” security in your SSL? Here’s how Aussie banks fare

There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats:

NAB withholding their stas from Qualys

Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result and even if you do, Qualys who runs the service is only checking for publicly accessible information anyway, they’re simply bundling it up into a single test that’s dead easy to run.

But it did get me wondering – how do our local banks actually stack up? Is their SSL solid? And for that matter, is the old adage of “bank grade” security actually something you want to strive for or in the case of SSL, something you really don’t want?

I was genuinely curious so I checked them against the most important attributes Qualys tests for. Here’s how the locals stack up:

Edit 1, 6 May: After seeing this post, AMP has quickly rectified the legacy SSL 3 support and subsequent "F" rating. They now rate an "A-" with SHA1 and forward secrecy.

Edit 2, 6 May: The Greater Building Society has also gone from a C to a B. Way to go yet (RC4 and SHA1), but trending in the right direction.

Edit 3, 12 Dec: Suncorp are now rating "A" with a weak intermediate certificate being the only thing of note reported by SSL Labs.

Bank Grade
Still supports SSL 3
Still supports SHA1
No TLS 1.2 support
Still supports RC4
Forward secrecy support
POODLE vulnerability
Bank West A Pass   Pass * Pass   Pass   Pass   Pass  
IMB A Pass   Pass   Pass   Pass   Pass   Pass  
Heritage A- Pass   Pass * Pass   Pass   Fail   Pass  
ING Direct A- Pass   Fail   Pass   Pass   Fail   Pass  
Westpac A- Pass   Pass   Pass   Pass   Fail   Pass  
ANZ B Fail   Fail   Fail   Fail   Fail   Pass  
bankmecu B Pass   Fail   Fail   Pass   Fail   Pass  
Bendigo Bank B Pass   Pass   Fail   Pass   Fail   Pass  
Beyond B Pass   Fail   Fail   Pass   Fail   Pass  
Commonwealth Bank B Pass   Fail   Pass   Fail   Fail   Pass  
CUA B Pass   Pass   Pass   Fail   Fail   Pass  
Newcastle Permanent B Pass   Fail   Pass   Fail   Fail   Pass  
P&N B Pass   Fail   Fail   Pass   Fail   Pass  
People's Choice Credit Union B Pass   Fail   Fail   Pass   Fail   Pass  
St George B Fail   Fail   Pass   Fail   Fail   Pass  
Suncorp B Pass   Pass * Pass   Fail   Fail   Pass  
Teachers Mutual B Pass   Pass   Pass   Fail   Fail   Pass  
Greater C Fail   Pass   Pass   Fail   Pass   Fail  
AMP F Fail   Pass * Pass   Fail   Fail   Fail  
Bank of Queensland F Fail   Pass   Pass   Fail   Fail   Fail  
Macquarie F Fail   Pass * Pass   Fail   Fail   Fail  

* Intermediate cert still supports SHA1
† Rating now improved, see edit above the table

So we’ve got two banks that actually gets an A grade and kudos to Bank West and IMB for that. They’re the only ones presently supporting forward secrecy – every single other bank is presently missing this… except for Greater which fares quite poorly for other reasons. Heritage, ING Direct and Westpac are the only ones that failed in this area alone, the others are the really worrying ones…

The twelve B grades obviously vary in where they fall down. Most still support RC4 after which there’s a mixed bag of ongoing SSL3 and SHA1 support plus a lack of TLS 1.2 support. All the major browsers have supported 1.2 since early last year so it’s a mystery why so many of them can’t support it in their banking services.

You don’t often see C grades, but Greater manages it due to their POODLE risk. They’re a real odd one actually as they actually support forward secrecy which is unusual in this bunch, so why they’re still supporting SSL 3 is a mystery.

The worrying ones, of course, are those that are still at risk of the POODLE vulnerability. You don’t expect to see this in any website these days, let alone one handling your money. Yes yes, banks have all sorts of other mechanisms in place to mitigate risks but it’s a not a good look when your customer-facing website is at risk of such a well-publicised risk.

So in short, no, “bank grade” is not a virtue when it comes to your SSL implementation. Frankly, it’s disappointing to see them faring so bad regardless of what other downstream protection mechanisms they have. By now, good transport layer security should be the norm for anyone protecting sensitive information but it looks like we still have a way to go in the banking sector down here.

Security SSL
Tweet Post Share Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals