Unsafe Clydesdale Bank website (and other organisations)

TooMuchSloeGin

The "secure" Clydesdale Bank website is not as secure as it should and could be. I have tried to contact them about this but their staff seem supremely uninterested in this "technicality".

The ssllabs site allows to check the security of secure web servers and gives an overall security rating. In the case of Clydesdale Bank, the rating is B and that, for a bank, is just not good enough: the problem is that they only support weak forms of encryption, ie encryption that can be easily cracked.

Consequently my Firefox browser does not accept a secure connection with them.* There are other sites with the same or similar problems (eg gooutdoors.co.uk ) and again, they seem not very interested to solve this problem: my email wasn't even acknowledged.

(* It is of course always possible to change browsers settings such that these "secure" sites can be used. But doing this defeats the whole idea of strong web security, so this is definitely not the way forward.)

Perhaps MSE could look into this matter (there are more sites with that problem and I am sure other people here have run into similar problems) and cajole the big players, especially if they're banks, into taking security as seriously as they expect us to take it!

nidO

Incomplete information, and lacking in a technical understanding of the result, i'm afraid.

Clydesdale's security is not ideal, but calling it unsafe and that it's encryption can be easily cracked is a misnomer.

SSLlabs rates the site a B maximum for 3 reasons:

1) The system supports SSLv3. Thanks to last year's POODLE attacks many servers are stopping all SSLv3 support as the protocol is now deemed insecure, however removing SSLv3 support also means your site won't work for visitors with old browsers.
There is a workaround to mitigate POODLE while using SSLv3, which involves using RC4 which, while deemed "insecure", is much less insecure than the POODLE vulnerability itself, and will only present a potential issue on browsers using SSLv3 which would otherwise not be able to access the site at all (with SSLv3 disabled).

2) Supporting TLS 1.0 only, not TLS 1.2. This is not ideal but is not a major issue, TLS 1.0 is still considered secure.

3) The server accepts RC4 which is not an ideal cipher but exists to continue allowing the use of SSLv3.

The setup you are seeing is not an ideally secure setup but is purposeful and exists to allow the widest possible compatibility as securely as is practical., it's unlikely this setup exists purely through laziness or apathy.

Incidentally, the current version of Firefox (37.0.2) does not by default prevent access to the site securely as you claim, it simply provides a warning that the the site uses what the Firefox developers deem to be weak encryption (ie an RC4 cypher), but your connection to the site will work fine and will be fully TLS secured.
If your browser prevents access to the site by default, its something you've set or caused by a plugin you've installed.

Security's important and it'd be nice to see it improved (my personal opinion agrees with you that SSL should be ditched entirely) but less scaremongering, please.

[Deleted User]

Surely it's more unsafe that other banks use silly domains for their online banking, like https://www.nwolb.com.

Graham1

RC4 has been deprecated (but can still be used) in Firefox since version 36. Hence the absence of the green padlock symbol even though the connection is still encrypted. Version 38 is going to disable RC4 except for white-listed sites so this is something they will have to take care of in the coming months. I doubt if their customer service people even understood what you were reporting.

agrinnall

TooMuchSloeGin wrote: »

The "secure" Clydesdale Bank website is not as secure as it should and could be. I have tried to contact them about this but their staff seem supremely uninterested in this "technicality".

The answer to your paranoia is obvious: close your account and take your money to a bank that you do consider to have adequate security.

TooMuchSloeGin

@nidO: Well, your post is mostly complacent hogwash, masquerading as technospeak. It is exactly this sort of complacency that makes the Clydesdale Bank website unsafe (I stick with my original wording).

nidO wrote: »

The setup you are seeing is not an ideally secure setup but is purposeful and exists to allow the widest possible compatibility as securely as is practical

Computer security, online or offline, is very hard to get right and to fall back to a known weak standard of encryption without also supporting safer standards is simply bad practice. "Widest possible compatibility" is a red herring here: web servers easily support a range of encryption methods, some more safe than others.

The fact is that their current setup is -- completely needlessly -- unsafe and could very easily be made much safer with losing any compatibility with older platforms or adding complexity for their users. That is what my complaint is all about.

I am visiting dozens of secure website every week and most of them get this right... so why can't Clydesdale Bank (or Go Outdoors and O2)?

nidO wrote: »

Incidentally, the current version of Firefox (37.0.2) does not by default prevent access to the site securely as you claim

The claim that FF does so by default is nowhere in my OP.

@agrinnall: I have no account with Clydesdale Bank, I was trying to open one. And guess what: I have decided not to do so. To each his own.

zerog

TooMuchSloeGin wrote: »

@nidO: Well, your post is mostly complacent hogwash, masquerading as technospeak.

If you don't understand the post, then don't reply to it.

pmduk

TooMuchSloeGin wrote: »

so why can't Clydesdale Bank (or Go Outdoors and O2)?

You're a consumer with the ultimate sanction - go elsewhere!

TooMuchSloeGin

zerog wrote: »

If you don't understand the post, then don't reply to it.

You are soooo right, posting replies to stuff I don't understand is one of my many bad habits.

But there's a simple explanation:

s,i,r,LANCELOT={-46,265901,179603,14631},1,'',32
while i<5 do
    if s[i]>LANCELOT then
        c=s[i]%LANCELOT
        s[i]=s[i]//LANCELOT
    else
        c=s[i]
        i=i+1
    end
    r=r..string.char(c+3*LANCELOT)
end
print(r)

(If your internal Turing machine is a wee bit rusty, copy the [STRIKE]crap[/STRIKE]code in the box (all of it), paste it here and click on 'run'.)

On a slightly more serious note I find the prevailing insouciance regarding web security quite amazing.

But again: to each his own.