Security

Sainsbury's Bank web pages stuck on crappy 20th century crypto

'Someone there should be beaten to a pulp with a keyboard'

Bank vault

Update Sainsbury's Bank website still relies on insecure cryptography protocols that more security conscious organisations have abandoned as obsolete.

The UK supermarket-owned bank’s "secure" site rates an “F” in tests using the industry standard Qualys’ SSL Labs service – chiefly because of the support for protocols security experts reckon are well past their sell-by date.

TL-aiSle

“Shocking really: RC4, SHA-1 cert and other issues,” Mal M, the Reg reader who brought the issue to our attention, commented. “Someone there should be beaten to a pulp with a keyboard.”

The practical upshot here is that Sainsbury's Bank is not following industry best practice, creating an added risk as a result, not that customer details have been exposed much less leaked.

The class of security risk here is one that other UK banks among other organisations have had issues with in the past. ®

Updated to add

In response to queries from El Reg, Sainsbury's Bank stated that customers should have no concern because multiple layers of security make the site safe.

Customers visiting the Sainsbury’s Bank website can rest assured that they are protected at all times by multiple layers of online security. We continually act to strengthen the protection of our online customer services through security improvement initiatives.

Sponsored: Magic quadrant for enterprise mobility management suites