Nov 3, 2012

Bank SSL/TLS implementation Ratings. How Secure Are They Really?

I am in charge of the security program at my company, and that includes maintaining PCI compliance. I was running a scan of one of my web servers the other day and got dinged because we were using TLS 1.0 on one of our secure web sites with a Cipher Block Chain encryption algorithm. It had something to do with being vulnerable to The BEAST attack which can be thwarted if you upgrade to TLS 1.1 or TLS 1.2, or by reducing the ciphers you use to only RC4. Now, my company doesn't even handle sensitive data, but we have to maintain these requirements because of our relationship with banks.

So I got to thinking, how many banks are using at least TLS 1.1? If not, how many of them are protected from The BEAST? How good are their SSL/TLS implementations anyway? Check out these screen shots I took of several big banks in the United States, and their score from the SSL Labs Test.

Bank of America TLS

Bank of America

Chase TLS


Citibank TLS





Union Bank

Wells Fargo

Wells Fargo


PNC Financial

Pretty interesting huh? Once you realize that just by putting an SSL certificate on your website doesn't necessarily make it secure, you start wondering about every SSL/TLS certificate you see. Is your money safe with these guys? Probably, but on the sites with a rating below an 'A' rating, or with red warnings at the bottom it kind of makes you wonder.

What rating does you bank get? Let us know in the comments!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam