Based on the "Do you really want Bank Grade security?" post, I've decided to test the two banks I'm actively using, and see just how secure their TLS configuration is. After being rather disappointed with the results – even though I went in with lowered expectations – I've decided to embark on a journey to test all the banks and see if any of them score better. Since manually doing this was time-consuming and rather boring, I wrote a Python script to run the tests via the Qualys SSL Labs API and fetch/export the results into a format I can easily paste into the spreadsheet.
It should be noted that this project only tests accepted protocols, chipers, other properties and known vulnerabilities in the TLS server. It does NOT take it any further and evaluate the security of the web application – such as CSRF/XSS/SQLi and other similar-sounding fancy acronyms – as those could be interpreted as actual attacks and would be highly illegal. The information being evaluated in this project all come from the TLS handshake made with the server, nothing nasty involved.
To use the script, open scan.py and edit the global variables in order to configure it. Out-of-the-box it comes with a list loosely based on Wikipedia's Romanian banks ordered by their assets article.
After configuration, you can start the scan by running scan.py start. By default, the public API allows you to run 25 assessments simultaneously, so make sure to keep the list of hostnames under 25.
You can check in on the progress by running scan.py info, which will print the number of assessments still running that have been started by the script. When you see 0/25 it means all the assessments have finished, and you can either start the next batch of 25 or collect the results.
To collect the results, run scan.py collect [file] which will fetch the assessment results and print it in a tabulated fashion, which you can paste into Google Sheets.
In Google Sheets, you can set up rules for Conditional Formatting in order to automatically color the "Pass"/"Fail" cells and the grades.
The spreadsheet with the results of the Romanian banks can be accessed here: https://docs.google.com/spreadsheets/d/1z4_WoPR-53qUgClKwo8EMEotH7xcjfngtebG7nVJpec/edit?usp=sharing
I will try to update the spreadsheet above monthly, unless there was no change from last month's results. It should be interesting to see how their security evolves over time, and especially, how fast do banks react to patching 0-day TLS vulnerabilities, if they do at all.
The banks being tested by Qualys SSL Labs and Mozilla Observatory are:
Some interesting notes:
The good:
The bad:
Some banks really don't like changing their SSL setup, even if a major vulnerabilty knocks on their door, as two of them are still vulnerable to the POODLE attack as of June 29th, granting them the F grade.
Some banks really fucked up. As of June 29th, three banks all have their login forms on HTTP, and some of them even POST to HTTP and only then redirect to HTTPS. Their grades are forced to F, regardless of their actual TLS setup, until they fix it.