I am in charge of the security program at my company, and that includes maintaining PCI compliance. I was running a scan of one of my web servers the other day and got dinged because we were using TLS 1.0 on one of our secure web sites with a Cipher Block Chain encryption algorithm. It had something to do with being vulnerable to The BEAST attack which can be thwarted if you upgrade to TLS 1.1 or TLS 1.2, or by reducing the ciphers you use to only RC4. Now, my company doesn't even handle sensitive data, but we have to maintain these requirements because of our relationship with banks.
So I got to thinking, how many banks are using at least TLS 1.1? If not, how many of them are protected from The BEAST? How good are their SSL/TLS implementations anyway? Check out these screen shots I took of several big banks in the United States, and their score from the SSL Labs Test.
What rating does you bank get? Let us know in the comments!
- Keeping Cash on Hand, Just in Case
- Banks Waive Fees for Residents in Path of Hurricane Sandy
- Customer service via tweets