State of TLS security in Lithuanian internet banking
Inspired by post from Daniel about the state of TLS security in Norwegian online banking systems I decided to do a similar analysis of banks that are used in Lithuania.
The results are sorted by ratings from Qualys. The best rating being A+ and the lowest being F.
Qualys’ ratings reflect strict security recommendations and best practices. None of the banks in Lithuania managed to score an A+.
Check SSL Labs for a full report on each bank, including what they actually did good. You can see the report by clicking on the rating.
Citadele: (A): Weak SHA‐1 certificate chain.
DNB bank: (A-): Weak SHA‐1 certificate chain, no Forward Secrecy.
Update (February 23rd): I’ve been contacted by DNB bank representative and asked to re-check the results.
Now it appears that the bank gets (A-) rating instead of (F) which it got on February 20th. On their website there appears to be a sign about a maintenance that was going on this weekend. I am not sure if it’s related or not, but in any case: good job from them for following up and respoding.
SEB: (A-): Weak SHA‐1 certificate chain, no Forward Secrecy.
Danske Bankas: (B): Accepts weak RC4 cipher, no Forward Secrecy, does not accept modern TLS 1.2.
Swedbank: (B): Uses obsolete and insecure SSL 3, weak SHA‐1 certificate chain, accepts weak RC4 cipher, no Forward Secrecy.
Šiaulių bankas: (B): Weak SHA‐1 certificate chain, accepts weak RC4 cipher, no Forward Secrecy.
Medicinos bankas: (F): Uses obsolete and insecure SSL 2 and SSL 3, weak SHA‐1 certificate chain, does not accept modern TLS 1.2, accepts weak RC4 cipher, no Forward Secrecy.
Nordea: (F): Vulnerable to the POODLE attack, weak SHA‐1 certificate chain, accepts weak RC4 cipher, no Forward Secrecy.
There is also a report by Yeri about the TLS situation in Belgium.
Tests were done on 2015–02–20.