El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?
It's almost 2018 and the lack of HSTS makes no sense
Analysis High street banks should be exemplars of good security but many are letting the side down when it comes to following cryptographic best practice.
Tests by security researcher Scott Helme and The Register showed a marked divergence in performance. We assessed the security of online login sites run by six UK high street banks using security tools from SSL Labs and Helme's Security Headers assessment site*. The results were mixed.
The consistent problem was a lack of support for HTTP Strict Transport Security (HSTS), a cryptographic technology introduced in October 2012 and designed to protect websites against protocol downgrade attacks and cookie hijacking.
"The risks in terms of protocols and cipher suites just show the banks aren't keeping current on the latest configuration and are letting them age in production," Helme told El Reg. "The biggest concern would be that they support HTTPS but haven't deployed HSTS. HSTS was introduced to fix two pretty serious flaws with browsers and HTTPS so they should really be looking at deploying it."
Encryption expert Professor Alan Woodward, a computer scientist at the University of Surrey, agreed.
"HSTS is such an obvious thing to do if you have an HTTPS site; I can't see why they don't," he said. "Why is it important? Because without it an attacker can find ways to hijack what a user might assume is a secure connection and conduct man-in-the-middle attacks.
"Transport Layer Security (TLS) is one of the best defences we have for ensuring the security of online transactions, so not enforcing it is quite incomprehensible... With the availability of tools like SSLStrip it's all too easy to hijack connections without HSTS."
SSL Labs: Barclays domain doesn't support Forward Secrecy, which they "absolutely should". "There is no reason not to," Helme said. The bank's certificate chain is also incomplete and has multiple HSTS headers deployed. Both these shortcomings are misconfigurations which should be addressed. SSL Labs awards Barclays' online banking site a grade B.
Security Headers: Barclays gets an A on the security headers scan, which is a solid grade. There are a couple of warnings that the bank could do with addressing but nothing too concerning, Helme added.
SSL Labs: Much like Barclays, the bank doesn't support Forward Secrecy and it really should. It's also a little worrying to see the bank still supporting the RC4 cipher – this should really be disabled now, Helme said. HSBC's online banking site gets a grade B from SSL Labs.
Security Headers: Slightly worse here too with a grade C. The most crucial thing the bank has missing is a HSTS policy which, for a secure website using HTTPS, is an absolute requirement.
HSBC's security headers
SSL Labs: A really good grade with an A for Lloyds. Helme said the thing holding it back from an A+ is really simple – HSTS.
Security Headers: Only a grade C. They really need to be deploying HSTS, Helme said. This will get the bank to an A+ on SSL Labs and to a B on Security Headers. Secure sites really do need HSTS and should also consider Content Security Policy (CSP) too, he added.
SSL Labs: NatWest's grade C is the lowest scored by all banks and there are a few concerning things on these results. The bank's certificate chain needs to be updated and it's still using weak ciphers and Diffie–Hellman parameters. This is most likely just an old configuration that hasn't had any attention for quite some time.
Security Headers: Another C grade here and the same problems again, Helme said. They have no HSTS or CSP deployed on their site. HSTS is an absolute must and has been a defined internet standard for five years now, so there has been plenty of time for adoption.
NatWest’s security headers
SSL Labs: All the same issues as NatWest, according to Helme. RBS scores a mediocre grade C with SSL Labs.
Security Headers: As per NatWest, the absence of HSTS or CSP deployment results in a relatively lower score.
SSL Labs: The best TLS (HTTPS) configuration out of the lot. "It's a shame I'm talking about the lack of Forward Secrecy yet again but this is what's holding them back from an A+," Helme said. "They really need to add support." Santander's online banking site gets an A- from SSL Labs.
Security Headers: Slightly better with a grade B here and very nice to see the bank has properly deployed HSTS, Helme said. If they deployed Content Security Policy with Upgrade Insecure Requests it'd be a perfect complement to HSTS and increase its grade to an A.
The banks could all achieve much better grades through some relatively simple steps, according to Helme.
Overall, there are some very simple steps that all of the banks could take to improve security for their customers. A lack of Forward Secrecy across the board isn't great in 2017 and again a majority of them fail to support HTTP Strict Transport Security (HSTS) too. Supporting these technologies has no negative effect, customers with newer browsers will use them and customers with older browsers would ignore them so I can't see a reason why they wouldn't deploy them. To complement their protection a CSP with Upgrade Insecure Requests (UIR) enabled would offer further security on top of HSTS. Overall it's not terrible but when we're focusing on large financial institutions I'm expecting them all to perform above average so they have a little way to go.
In March 2016, Netcraft reported that only 5 per cent of web admins had implemented HTTPS correctly.
"I was really rather shocked," Professor Woodward told El Reg. "Of course not everyone has the ability to apply HSTS (imagine sitting behind some services where it's not actually all the way back to the origin) but most larger organisations have control over such things. That figure from Netcraft is an overall figure.
"For a bank not to do it has to be a no-no. If you can envisage one dialogue that should have TLS enforced it is one where financial data, especially relating to your accounts, is being transferred."
Netcraft singled out NatWest for not implementing HSTS. Despite Netcraft's stinging critique, the bank still has not rolled out the technology 18 months later.
El Reg invited RBS/NatWest to comment on the poor security ratings of its websites and criticism over the failure to support HSTS on Tuesday. We asked them for a comment and this is the only response they sent, despite having the best part of three days in which to consider their stance: a spokesman told us: "It's been confirmed to me that we do have a number of layers protecting the website from the type of man in the middle attacks outlined in the Netcraft article."
El Reg looked at the security of online banking sites rather than the home (main) page of banks. We began the project after chatting with a Reg reader regarding concerns he had about the security of his bank's website, Barclays, after he received warnings when visiting its site from multiple computers. These warnings turned out to be a glitch but his concerns over its failure to support HSTS are altogether more substantive, as our comparative research illustrates. ®
*Security Headers analyses the HTTP response headers set by websites to see which security features they have enabled and if they are configured properly.