SSL implementation is poor across South African financial institutions
With the recent security issues across many South African mobile iOS applications, I thought it would be an important exercise to establish how well South African financial institutions have implemented transport layer security across their online financial services. Anyone can run the test via Qualys free SSL Server Test:
While transport layer security and the SSL implementation is only a small part of the complete security eco-system of an organisation, it is very concerning to see big financial institutions still be open to the POODLE attack, which is a serious vulnerability and was published in October 2014:
Only African Bank and Sasfin did exceptionally well with an A- grade. None of the sites tested support Forward Secrecy, which is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations (several large internet companies such as Google, Twitter, Wikimedia and Facebook use PFS as a security feature).
Still supports SSL 3
Still supports SHA1
No TLS 1.2 support
Still supports RC4
Forward secrecy support
|Bidvest Internet Banking||B||Pass||Pass||Pass||Fail||Fail||Pass|
|Capitec Internet Banking||B||Pass||Pass||Fail||Fail||Fail||Pass|
|FNB Internet Banking||B||Pass||Pass||Pass||Fail||Fail||Pass|
|Investec Internet Banking||B||Fail||Fail||Pass||Fail||Fail||Pass|
|Nedbank Internet Banking||B||Pass||Pass||Pass||Fail||Fail||Pass|
|Standard Bank Internet Banking||B||Pass||Fail||Fail||Fail||Fail||Pass|
|ABSA Internet Banking||F||Fail||Fail||Fail||Fail||Fail||Fail|
|ABSA Online Share Trading||F||Fail||Fail||Fail||Fail||Fail||Fail|
|Bidvest Business Internet Banking||F||Fail||Fail||Fail||Fail||Fail||Pass|
Both ABSA and Mercantile are exposed to the POODLE vulnerability and I did not expect to see this on many websites, especially the ones managing your finances.
Although the above results are concerning, they are certainly not uncommon when looking at the latest SSL Pulse report:
- I have used the SSL domain name of the financial institutions SSL login page and used Qualys to run a scan against the domain and SSL certificate – all information scanned is publicly available
- I have forwarded a link of the above results via the financial institution’s contact forms so that their IT teams can address the issues.
- In most cases RC4 and Perfect Forward Secrecy can only be resolved by upgrading server infrastructure (latest version of Linux and HTTP) and this is more involved then fixing a TLS, POODLE or BEAST vulnerability.
- Thanks to Troy Hunt for the HTML table and original idea