State of TLS security in Lithuanian internet banking

Inspired by post from Daniel about the state of TLS security in Norwegian online banking systems I decided to do a similar analysis of banks that are used in Lithuania.

The results are sorted by ratings from Qualys. The best rating being A+ and the lowest being F.

Qualys’ ratings reflect strict security recommendations and best practices. None of the banks in Lithuania managed to score an A+.

Check SSL Labs for a full report on each bank, including what they actually did good. You can see the report by clicking on the rating.

Citadele: (A): Weak SHA‐1 certificate chain.

DNB bank: (A-): Weak SHA‐1 certificate chain, no Forward Secrecy.

Update (February 23rd): I’ve been contacted by DNB bank representative and asked to re-check the results.
Now it appears that the bank gets (A-) rating instead of (F) which it got on February 20th. On their website there appears to be a sign about a maintenance that was going on this weekend. I am not sure if it’s related or not, but in any case: good job from them for following up and respoding.

SEB: (A-): Weak SHA‐1 certificate chain, no Forward Secrecy.

Danske Bankas: (B): Accepts weak RC4 cipher, no Forward Secrecy, does not accept modern TLS 1.2.

Swedbank: (B): Uses obsolete and insecure SSL 3, weak SHA‐1 certificate chain, accepts weak RC4 cipher, no Forward Secrecy.

Šiaulių bankas: (B): Weak SHA‐1 certificate chain, accepts weak RC4 cipher, no Forward Secrecy.

Medicinos bankas: (F): Uses obsolete and insecure SSL 2 and SSL 3, weak SHA‐1 certificate chain, does not accept modern TLS 1.2, accepts weak RC4 cipher, no Forward Secrecy.

Nordea: (F): Vulnerable to the POODLE attack, weak SHA‐1 certificate chain, accepts weak RC4 cipher, no Forward Secrecy.

There is also a report by Yeri about the TLS situation in Belgium.

Tests were done on 2015–02–20.