Do you really want “bank grade” security in your SSL? UK edition

By Alex Hyett on in Software Developent

I recently read Troy Hunt’s article (Do you really want “bank grade” security in your SSL?) regarding how shocking the SSL security is on the banks down under. Damien Guard has written a similar post looking at the US financial institutions (Quality of SSL protection for US financial institutions). This got me wondering how the UK banks (and building societies) fair and what the low scores actually mean to their security.

So here are the results after running them through Qualys SSL Server Test (25/06/2015):

Should not support

Should support

Vulnerable

Bank

Grade

SSL3

SHA1

RC4

TLS 1.2

F/w sec

POODLE

Virgin Money

A

Pass

Pass

Pass

Pass

Pass

Pass

Nationwide

B

Pass

Pass

Fail

Pass

Fail

Pass

Co-Op Bank

B

Pass

Pass*

Fail

Pass

Fail

Pass

Barclays

B

Pass

Fail

Fail

Pass

Fail

Pass

Santander

C

Pass

Pass

Fail

Pass

Fail

Pass

NatWest

C

Pass

Fail

Pass

Fail

Fail

Pass

RBS

C

Pass

Fail

Pass

Fail

Fail

Pass

TSB

C

Fail

Pass

Fail

Fail

Fail

Pass

HSBC

C

Fail

Pass*

Fail

Fail

Fail

Pass

First Direct

C

Pass

Fail

Fail

Fail

Fail

Pass

Yorkshire Bank

C

Fail

Pass

Fail

Fail

Fail

Pass

Clydesdale Bank

C

Fail

Pass

Fail

Fail

Fail

Pass

M&S Bank

C

Fail

Fail

Fail

Fail

Fail

Pass

Sainsbury’s Bank

C

Fail

Fail

Fail

Fail

Fail

Pass

Lloyds

C

Fail

Fail

Fail

Fail

Fail

Fail

Halifax

C

Fail

Fail

Fail

Fail

Fail

Fail

Tesco Bank

F

Pass

Fail

Fail

Fail

Fail

Fail

* Intermediate certificate still has SHA1

That’s not a great result for the UK with only Virgin getting an A rating and only Nationwide, Co-op and Barclays getting a some what respectable B. The really worrying ones are the bottom 3, which are all at risk of the POODLE vulnerability. Tesco gets an F as it is vulnerable to the TLS version of the POODLE attack. Virgin Money is the only bank that currently supports Forward Secrecy (F/w sec in table).

Most of the banks fall short by still supporting the outdated SSL 3, even if they do mitigate against POODLE. Most of them don’t support TLS 1.2 which is the only secure protocol version according to Qualys. So it is safe to say you probably don’t want bank grade security at the moment.

For the uninitiated, what do these grades actually mean to the security of the bank and your money?

Well none of these banks are at risk of the well publicised HeartBleed bug which affected OpenSSL; probably because banks tend to use Microsoft technologies in most cases; so hackers aren’t going to be able to get your passwords this way.

SSL (and more correctly TLS) is the encrypted link between your web browser and the bank’s servers. This is what stops people from snooping on your customer number, password, memorable information and seeing how much money you have in your account while you’re doing your browsing. SSL/TLS is the green padlock we have all been told to look out for when doing banking or shopping online. But all these banks will give you the friendly green padlock when you visit them, even those with C and F ratings.

What these weak ratings essentially mean is that the encrypted connection between you and the banks server can be compromised. This is done by what is known as a man-in-the-middle-attack. This is where a hacker on the same network intercepts the connection so that the data is sent to him first before being sent on to you. This is why you should never do anything like banking or shopping on public WiFi. It is best to wait until you get home where you will hopefully have a secure connection.

I managed to get an A+ rating on the SSL Labs test using my Raspberry Pi. Matt Wilcox has created quite a comprehensive tutorial on how to do this already.

If you find any mistakes, or just want to say hi, please comment.



Alex Hyett
WRITTEN BY

Alex Hyett

Software Developer, Founder of GrowRecruit, Entrepreneur, Father, and Husband. @thealexhyett. Currently Technical Lead at Checkout.com.