UK "bank grade" SSL

06 May 2015

After reading Troy Hunt's "Do you really want “bank grade” security in your SSL? Here’s how Aussie banks fare" post, it made me wonder how well banks do over here in the UK. I'm expecting them to be about the same, because I can't think of a reasons for UK banking to be particularly better or worse than Aussie banks.

After dropping a few bank URL in to the SSL Labs test, showing the same properties as Troy, we get:

Bank Grade Still supports SSL 3 Still supports SHA1 No TLS 1.2 support Still supports RC4 Forward secrecy support POODLE vulnerable
Santander B Pass Pass Pass Fail Fail Pass
Barclays B Pass Fail Pass Fail Fail Pass
Co-operative Bank B Pass Pass Fail Fail Fail Pass
Royal Bank of Scotland B Pass Fail Fail Pass Fail Pass
HSBC B Fail Fail Fail Fail Fail Pass
Lloyds C Fail Fail Fail Fail Fail Fail

I know Santander isn't a UK bank, but it s popular bank on the UK high-street.

It's nice to see there's no F grades here, but the lack of A grades is disappointing - as is the POODLE vulnerability with Lloyds. Hopfully they'll work to fix that in the near future.