TLS Ratings for Norwegian banks

How secure is the connection to your bank? Surprisingly poor results in Qualys SSL Labs’ test.

Update (): See the follow-up post with new ratings!

I’ve looked into the state of TLS (“HTTPS”) in Norwegian banking websites. This describes the connection between the client/browser and the bank’s servers. It doesn’t say anything about the bank’s internal security. However, it does provide an insight into their IT policies and how up-to-date they are on the security field.

The tests were performed through Qualys SSL Labs on 2015-02-16. This was inspired by the overview of Belgian banks by Yeri Tiete.

The results are sorted by security ratings from Qualys. The best rating being A+ and the lowest being F. Qualys’ ratings reflect strict security recommendations and best practices. None of the tested banks scored the top mark.

Grade A banks

  • Storebrand (A): Fabulous.
  • Skandiabanken (A): Weak SHA-1 certificate chain.
  • SpareBank 1 Gruppen (A-): No Forward Secrecy.
  • Sparebanken Vest (A-): No Forward Secrecy.
  • Santander Consumer Bank (A-): No extended validation. No Forward Secrecy.

Grade B banks

  • Bank Norwegian (B): Accepts weak RC4 ciphers, and limited Forward Secrecy support.
  • Komplett Bank (B): Accepts outdated SSL3, weak RC4 ciphers, and limited Forward Secrecy support.
  • Ya Bank (B): No extended validation. Accepts outdated SSL3, and does support weak RC4 ciphers. Weak SHA-1 certificate chain. Limited Forward Secrecy support.
  • >Danske Bank [formerly Fokus Bank] (B): No extended validation. No HTTPS by default. Does not accept modern TLS 1.2 and does accept weak RC4 ciphers. No Forward Secrecy. Weak SHA-1 certificate chain.
  • DNB (B): Does not accept modern TLS 1.2, and does accept weak RC4 ciphers. No Forward Secrecy. Weak SHA-1 certificate chain.

Grade C banks

  • Bank2 (C): Does not accept modern TLS 1.2, and does accept weak RC4 ciphers. Weak SHA-1 certificate. No Forward Secrecy nor secure renegotiation.
  • Eika Gruppen (C): Does not accept modern TLS 1.2, and does accept weak RC4 ciphers. Weak SHA-1 certificate. No Forward Secrecy nor secure renegotiation.

Grade F banks

  • BN Bank (F): Does not accept modern TLS 1.2, and does accept weak RC4 ciphers. Vulnerable to the POODLE attack. Weak SHA-1 certificate. No Forward Secrecy nor secure renegotiation.
  • Gjensidige (F): Does not accept modern TLS 1.2, and does accept weak RC4 ciphers. Vulnerable to the POODLE attack. No Forward Secrecy.
  • KLP (F): Does not accept modern TLS 1.2, and does accept weak RC4 ciphers. Vulnerable to the POODLE attack and attacker-in-the-middle attacks because of insecure renegotiation. Weak SHA-1 certificate chain. No Forward Secrecy.
  • Nordea (F): No HTTPS by default. Does not accept modern TLS 1.2, and does accept weak RC4 ciphers. Vulnerable to the POODLE attack. Weak SHA-1 certificate chain. No Forward Secrecy nor secure renegotiation.
  • Verdibanken (F): No extended validation. Support anonymous and insecure ciphers. Weak SHA-1 certificate. No Forward Secrecy. Only accessible to SNI-enabled clients.

Bonus 1: OCSP Stapling

Komplett Bank is the only bank that has bothered to implement OCSP Stapling. With OCSP Stapling, the server will regularly check with the certificate issuer (CA) to verify that the server’s certificate is still valid. The verified response from the issuer is appended to the end of the certificate the client is sent.

The client can locally verify this response instead of having to ask the OCSP server themselves. Thus speeding up the initial HTTPS connection and ensuring that trust can be established sooner. All modern browsers support this.

Bonus 2: IPv6 support

Danske Bank, Gjensidige, Bank Norwegian, and Ya Bank are the only banks who support IPv6. Norway currently has a decent 9.16 % IPv6 adoption rate.[1] With roughly 20 % of the banks supporting the next generation Internet protocol, Norway seems to be doing fairly okay with IPv6 deployment.