Reply to post: Get some perspective.

Does UK high street banks' crappy crypto actually matter?

Alister Silver badge

Get some perspective.

A lot of the commentards here seem to be misunderstanding the issues raised in the article, abetted, it has to be said by some editorial misdirection.

Firstly, to describe the HSTS header as "Cryptographic Technology" is a gross exaggeration.

It is an HTTP Header, which when read by a client browser, ensures that the browser only uses HTTPS to connect to the domain it is served from. That's all it is, nothing else, and certainly not cryptographic technology.

Secondly, the article is written in such a way as to suggest that banks have downgraded their cryptographic cyphers to the lowest common denominator, and therefore endanger everybody's security.

I've just reviewed the SSL Labs results for each of the banks tested, and I can unequivocally state that this is not true.

In all the tested cases, the banks offer the latest ECDHE_RSA_AES ciphers, and therefore modern browsers will connect using TLS1.2 using those ciphers.

However, all of the banks tested, even Santander, the highest scoring, also offer, to a greater or lesser extent, older weaker ciphers to allow older browsers and operating systems to connect. Some of them, RBS and Natwest for example, offer really old, weak ciphers, and they should consider removing those.

It is pointed out that none of the tested banks offer PFS (Forward Secrecy). This is probably something which should be done, but relies on the correct ordering of the cipher suites offered, amongst other things, and is easy to get wrong.

So to sum up, none of the banks tested are endangering your security by only allowing weak cryptographic ciphers and HSTS is not some magic security feature.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019