SSL Certificates at Banks: 2016 v. 2014

Procedure

I tested the first 100 banks I found by Googling "bank". The test I used is at https://www.ssllabs.com/ssltest/

Results from 2014

There was only one F: Columbia Bank. Their grade has improved to an A in my 2016 test.

Details of 2014 test

Results from 2016

This time there were four F's:

Middlesexhttps://www.middlesexbank.com/
Trustco Bankhttps://www.trustcobank.com/
HSA Bankhttps://secure.hsabank.com/ibanking3/login.aspx
INTRUST Bankhttps://www.intrustbank.com/
Banks notified via Twitter on 4-13-16:

On 5-18-16, they were all still graded at F.

Credit Unions (2016)

When I posted these results, I got this reply:

Good idea! The results were very similar to banks:

Here are the five F's:

NCUA.govhttps://www.ncua.gov/Pages/default.aspx
OneCUhttps://www.onecu.org/
Guardians CUhttps://www.pbccuvirtual.org/ISuite5/Features/Auth/SelfEnrollment/SelfEnrollmentDisclosure.aspx
Vibrant CUhttps://vibrantcreditunion.org/
Deere Employees CUhttps://content.dccu.com/
I notified them via Twitter on 4-16-16:

I tested them again on 4-18-16 and they were all still F's.

Also, Wright-Patt Credit Union is the only bank or credit union in the top 100 to still use mixed-mode authentication: an https login link on an insecure page. I haven't seen any bank use that unsafe method in years and I suspect it is a violation of banking regulations.

I Tweeted to WPCU and they answered, which is good. However, they don't seem to understand the importance of this issue. Switching the whole site to https is good, but moving the login page to htps is a critical security measure every other bank and credit union I tested has done. WPCU is far behind its competitors in this aspect of security.

Here's the link to a Troy Hunt video that explains why putting an HTTPS login button on an HTTP page is like putting a padlock on your wallet and leaving it in the street:

Your login form posts to HTTPS, but you blew it when you loaded it over HTTP

On Feb. 9, 2017, I got this Tweet:

However, when I tested it, it's not much better. The login page is now HTTPS, but if you open a browser and type in wpcu.info you pass through two stages of insecure redirection before reaching the secure page:

This page is still susceptible to hijacking, but it can be fixed by adding an HSTS header, as explained in this Troy Hunt page from 2015.


Posted 4-13-16 by Sam Bowne
Credit unions added 4-15-16 12:38 am
Wright-Patt mention added 5-16-16 7:48 am
WCPU response added 4-18-16
Re-test of F's added 4-18-16
WPCU update added 2-9-17