Government is good at this too
The not-so-aptly named secureonline.dwp.gov.uk gets an "F" too.
https://www.ssllabs.com/ssltest/analyze.html?d=secureonline.dwp.gov.uk
UK banking organisation Bacs is running a cryptographically obsolete website despite telling everyone else to upgrade before a June deadline. Earlier this week Bacs reminded UK businesses to update their systems and adopt SHA-2 before mid-June in order to avoid losing access to vital payment and money transfer services. …
Looks like these 2 are on Server 2012 R2 that has not been rebooted since early January so missing out on 2 patch Tuesdays from Microsoft.
They've also implemented a vulnerable cipher or 5 using a weak implementation of Diffie-Hellman...looking like some out of the box work...hope the banking system isn't based on out of the box configuration of Windows Servers...
Goodness only knows if/how the front end load balancer/firewall has been configured after it was taken out of the cardboard box and polystyrene.
I'll say it again:
Nothing quite beats the Teacher's Pensions Online website: www.tponline.co.uk
It basically ranks F-, and fails in every possible way. And you're supposed to use that to generate client-side certificates that make / take payments from people's pensions.
But, hell, last time I caused a fuss, they just emailled me a .pfx with the private key anyway.
The tponline certificateis a Crapita PLC EV certificate...so to be fair it could have been significantly worse.
A quick check says it's a close competitor for the top 5, they've hidden the web server from SSLLabs check but it still appears to leak uptime and is giving the look of IIS so may not have been patched since Jan 2016. You can't really be sure on this though as it looks like someone did more than take the firewall out of it's box and packing.
It is however missing any forward secrecy and whilst they have managed to install the correct server certificate, they forgot to follow the guide for installing the intermediate cert that came with it so an epic fail.
The backend systems that companies have been using for yonks still can't be upgraded if you go via the banks. I chased HSBC up every other week from June 2015 to Jan 2016 and they still wouldn't sell me the software or let me go direct to bottom line saying they were OK for us to carry on using XP machines to submit bacs payments via bacstel IP! Bloody sham or pissup in brewery is more organised than this lot! Just glad I don't ever have to deal with the turd piles again..
Bottom line wanted to sell the company the software, they wanted to buy it, Hsbc said they needed to buy thru them. Try to find someone in Hsbc to sell or give it to you... More chance of winning the euro and national lotto in the same week...
Different experience to me, though we have Barclays, Bottom Line have been pursuing us relentlessly to upgrade ePay to the newest version. As far as I can it's exactly the same software with the old cipher suites removed and new ones added, yet they want £2k+ to do the upgrade.
I hear rumours that the fund tech migrations were somewhat of a customer re-input rather than a migration and their previous systems had some quite serious mis-givings, that make me wonder how they managed to get BACS approved in the first place...oh hang on were taking about BACS approval, stupid me!
I hear Nationwide are offering £50,000 for a full time consultant to look after certificates and keys and possibly some staff too (I assume this is digital security keys and not a consultant that is managing door keys and first aid qualifications...though someone in this role would likely be aware of their own level of incompetence so be less dangerous over all).