How's Your SSL Rate? Maybe Better Than Your Bank's

[raindog308]

Neat tool:  https://www.ssllabs.com/ssltest/index.html

 

I was highly amused that an SSL I setup tonight rated A+.  Cheap PositiveSSL running on an nginx web server - nothing fancy.

 

Meanwhile...

 

Lloyd's: rated C.  https://www.ssllabs.com/ssltest/analyze.html?d=online.lloydsbank.co.uk

 

 

 

 

[comXyz]

I'm using free SSL from CloudFlare, it's graded A

 

[MannDude]

How's my SSL rate? Better than my financial institution's... The credit union I've been a member of for years now is rated a B.

 

[D. Strout]

My main personal site has had SSL for a while, but I didn't push it because the theme I used loaded fonts from Google insecurely, and I didn't want to bother fixing it. But when I checked it with this tool, I found out the SSL was also iffy - a C. So I fixed the SSL issues, and then fixed the font issues, and now my site always uses SSL since it works perfectly. I tidied up my other SSL sites a while ago too, like this one and this one.

 

[eva2000]

Looks okay for my one of my test sites for SSL at https://sslspdy.com/

https://www.ssllabs.com/ssltest/analyze.html?d=sslspdy.com&hideResults=on

Centmin Mod Nginx SPDY/3.1 SSL with Wildcard Comodo SSL with ECC 256 bit ECDSA + chacha20_poly1305 cipher support via OpenSSL 1.0.2 beta4

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)   ECDH 256 bits (eq. 3072 bits RSA)   FS	256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH 256 bits (eq. 3072 bits RSA)   FS	128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH 256 bits (eq. 3072 bits RSA)   FS	128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH 256 bits (eq. 3072 bits RSA)   FS	128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH 256 bits (eq. 3072 bits RSA)   FS	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH 256 bits (eq. 3072 bits RSA)   FS	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH 256 bits (eq. 3072 bits RSA)   FS	256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)   ECDH 256 bits (eq. 3072 bits RSA)   FS	112

Chrome 37 / OS X  R	TLS 1.2	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)   FS	256

 

[Nyr]

One of the banks I use:

https://www.ssllabs.com/ssltest/analyze.html?d=cajaespana.net

Security is usually a joke in Spain.

 

[devonblzx]

The poodle issue doesn't appear to be a real problem to me.  POODLE affects SSLv3 but if you look on the list, the only browser that is actually still utilizing SSLv3 is IE6 on XP.  So you'd have to be using an old operating system with a very old browser.  In that case, POODLE is probably only one of your many security concerns.

Edit:  after reading the full description.  It seems in some cases the MITM is able to force a downgrade to SSLv3.  Interesting but still seems much less practical than most exploits.  I don't know if it should garner a C, but it seems like they are trying to promote the removal of SSLv3 which is a good thing.

 

[OpticServers]

Using a COMODO SSL Certificate with nginx and getting a A-

https://www.ssllabs.com/ssltest/analyze.html?d=opticservers.com

 

[devonblzx]

Using a COMODO SSL Certificate with nginx and getting a A-

https://www.ssllabs.com/ssltest/analyze.html?d=opticservers.com

It has little to do with the type of certificate (as long as it is recognized).  This is more to do with the web server and OpenSSL version/settings.

However, according to that, you don't have your chain certificates installed so some browsers will report an error with your certificate.  With Comodo, you have to install the chain certificates.

 

[DomainBop]

Your bank's board of directors and CEO might soon be paying fines if "your SSL rating is better than your bank's".  The SEC has proposed new rules to force banks to put more effort into cybersecurity.

Regulators will soon issue fines to negligent bank leaders and may even require that offending companies be supervised by outside monitors. All this should prompt financial services executives to stop passing the buck and spearhead the effort to improve cyber risk management.

full article: http://www.americanbanker.com/bankthink/bank-leaders-stop-passing-the-buck-on-cybersecurity-1071382-1.html

 

[iWF-Jacob]

Our billing portal gets an A- and our main site gets an A (CloudFlare)

 

[William]

Your bank's board of directors and CEO might soon be paying fines if "your SSL rating is better than your bank's".  The SEC has proposed new rules to force banks to put more effort into cybersecurity.

full article: http://www.americanbanker.com/bankthink/bank-leaders-stop-passing-the-buck-on-cybersecurity-1071382-1.html

And the SEC does exactly what in Europe? US banks usually are not that bad, Spanish and Greek banks are worrysome.

 

[DomainBop]

US banks usually are not that bad,

Their websites aren't that bad but from my piwik stats I could name a few large US financial institutions (as well as US government agencies, US defense contractors, and other Fortune 500 companies) who are still letting their employees surf the web from their office desktops using very outdated browsers like IE8 on Windows XP (as a footnote, the employees in AmericanExpress's Phoenix service center were using IE7 as recently as 2012)

Earlier this year there were a few surveys released that showed almost 1/4 of all US bank ATM machines were still using Windows XP embedded version.  In India it was closer to 35% of ATM's.

tl;dr corporate security is a nightmare and I'm not surprised there are so many large scale breaches