SSL Test Overview

I had a list of 43 banks, and for a quick overview I took into account a few key features only. The first is whether there are any active vulnerabilities against the site according to the test (these were mostly CRIME, FREAK, and POODLE attacks). The second is whether RC4 encryption was enabled, as it is now prohibited, and having it on is an automatic Payment Card Industry Data Security (PCI) compliance failure, according to one of the commenters. Other various warnings are mentioned when something really stands out, they are not crucial but more nice to have (though I’d contend that Forward Secrecy and HTTP Strict Transport Security is more than “nice” for anything financial).

Edit: Since publishing this post, there’s a brand new password recovery attack against RC4, so it’s even more urgent to switch it off.

Test Outcome

The only A rating was for Deutsche Bank, which uses its global site for all regional sections too, so not that surprising that it was better than average. The rest of it in a nutshell:

• 22 out 43 banks (51%) got an F,
• 2 of them did not have SSL (though no online banking either, fortunately),
• 1 SSL enabled site couldn’t be tested somehow, possibly because of redirections
• Only 4 of them (9%) disabled RC4, the rest of it (91%) is vulnerable to password recovery attacks,
• 24 of them (56%) are vulnerable to common attacks, 5 (11%) to multiple different attacks (besides RC4), POODLE being the most common
• There was one site where the general corporate website’s HTTPS was better configured (B) than the e-banking (F)…
• Handling redirects and subdomains is generally very confusing for banks
• Most banks have multiple subdomains for different services (“bank site”, “e-banking”, and “web ATM” are the three most common)
• Of the 4 banks I have account at, there’s one B and three F-rated (not naming names)

The raw overall data and test links follow (with an outlook afterwards). Usually I’ve linked to the e-bank pages of banks, unless I couldn’t see it or was the same domain as their corporate site.

Update (2015-03-19): Some banks started to fix their systems, noticed changes will be added to the bottom of this post!

Update (2015-03-25): Instead of keeping up with the changes manually, made a page for automatic status tests. It’s still in development but you can check it here: Taiwan Financial Institutes SSL Tests.

Taiwanese Bank SSL Test Results

What’s next?

Financial fraud in Taiwan is pretty prevalent, though it’s usually the “old fashioned” phone scam type. On the other hand, people here seem to be very lucrative target of groups based in China and Philippines. While I don’t know about the latter, the former likely has black hat teams with a lot more computer savvy than most users here (or anywhere else). It would be very-very good to fix up these systems.

Since these banks don’t seem to be on Twitter in general (except maybe the international ones), would be good to look up the local tech contacts, and bring the problem to their attention. One thing that makes me optimistic about it on the long term, is that Taiwan has a lot of computer savvy and outspoken activists. Will try to reach out to them, and use the local talent (and local ways) to approach this. Also, local administration (ie. city government) seems to be more powerful here, and we have a quite techy and driven new mayor in Taipei city. Putting pressure on the banks through them is not inconceivable.

I like it a lot where technology is going over here (many days I feel like being in a science fiction), and hope to make it work out well by keeping an eye on the practical implementations such as this.

If you find any problems in the dataset above (or any updates as sites are fixed:), please let me know!

Updates

• 2015-03-19: Chinatrust fixed their POODLE vulnerability, improving their score from F to B! Hope they’ll fix RC4 next.
• 2015-03-19: Bank of Taiwan went from F to A-, the first Taiwan-based bank to achieve an A!
• 2015-03-23: The ANZ Credit Card site went from F to B as well, which is pretty good, even if their corporate site remains F.
• 2015-03-24: Mega Bank went from B to A- by disabling RC4.

The post SSL status of Taiwanese banks: a sad affair appeared first on ClickedyClick.

The first step for the switch was bringing everything onto HTTPS, which I have done with a free SSL certificate from StartSSL. Redirected everything from the HTTP to the secure connection, with the 301 http code so I thought Google will be able to follow it well and replace the addresses in their index. Then enabled the SPDY module in Nginx, and checking the result looked like I was in business.

Some time has passed, and a scary graph started to manifest itself in Google Analytics:

Right after I have made the changes, my impression count on Google dropped like a brick, now being exactly 0. That’s not really the change I wanted to see. Digging more into it, though, it looks like I still have a constant stream of visitors from Google Search:

How can I have zero impressions, but still a half a dozen visitors from Search? The results in the Webmaster Tools mirror things: dropping impression count, no crawl errors, same or even better indexed count, and relatively good stats:

The crawl seemed to have gotten a bit slower (the bottom plot of the three), but more consistent.

I wonder what could be the change, does the impression count depend on the method of access (http/https)? Or did I made some braking changes? If so, then why’s the conflicting information?

Being a scientist, my main concern is not actually the raw value of any visitor count, but understanding the reactions to my actions, and consistency of the “experimental results”.  I wonder what kind of technique I could use to debug all this?

Update 2013/May/28: 

Following some recommendations from the comments, it looks like that the https:// version of my URL has to added to the Webmaster Tools separately. Now there’s a http://gergely.imreh.net and a https://gergely.imreh.net section as well. In the latter section, I can see that there are some impressions reported. Some weird things still exist: the sum of impressions from both is less than how many visitors I reportedly get from Google Search; the crawl stats is shared between the two sections (ie. the https version reports a lot of crawl stats even from the time there wasn’t https enabled), while most other data is separate for the two sections (e.g. impression, search queries, sitemaps). Still probably this is on the right path.

After the Webmaster Tools changes, I have just switched the Google Analytics association from one WMT property to the other. Hopefully this will freak me out less, though it will likely take some days to see the changes in the result.

The post Switched to SPDY and now Google’s confused appeared first on ClickedyClick.