After reading Troy Hunt's "Do you really want “bank grade” security in your SSL? Here’s how Aussie banks fare" post, it made me wonder how well banks do over here in the UK. I'm expecting them to be about the same, because I can't think of a reasons for UK banking to be particularly better or worse than Aussie banks.
After dropping a few bank URL in to the SSL Labs test, showing the same properties as Troy, we get:
| Bank | Grade | Still supports SSL 3 | Still supports SHA1 | No TLS 1.2 support | Still supports RC4 | Forward secrecy support | POODLE vulnerable |
|---|---|---|---|---|---|---|---|
| Santander | B | Pass | Pass | Pass | Fail | Fail | Pass |
| Barclays | B | Pass | Fail | Pass | Fail | Fail | Pass |
| Co-operative Bank | B | Pass | Pass | Fail | Fail | Fail | Pass |
| Royal Bank of Scotland | B | Pass | Fail | Fail | Pass | Fail | Pass |
| HSBC | B | Fail | Fail | Fail | Fail | Fail | Pass |
| Lloyds | C | Fail | Fail | Fail | Fail | Fail | Fail |
I know Santander isn't a UK bank, but it s popular bank on the UK high-street.
It's nice to see there's no F grades here, but the lack of A grades is disappointing - as is the POODLE vulnerability with Lloyds. Hopfully they'll work to fix that in the near future.