Innovative as polish bank
Banks operating in Poland are on the top of world innovation. They already go out of their way to offer modern solutions - mobile banking and smartphone payments. Blik payments, for example, has been built from scratch. Visa and MC did not participate in the project, which can be considered global phenomenon.
Banks also invests in to other mobile payment systems. At present they use latest technology - HCE - to implement payments using smartphones. They give up SIM-based solutions.
But still many customers use Web browser installed on PC in order to get access to their bank accounts. Let’s check if it’s safe.
Is green padlock safe?
HTTPS - is a communications protocol for secure communication over a computer network which is widely used on the Internet - Wikipedia
For many users HTTPS is a way to secure communication with a website. It gives you nice green padlock and it means all is safe with that website, you can trust it and you are free to provide credit card details, paste copy of your ID and such.
The truth is that green padlock simply represents that traffic to/from the website is encrypted. Simple as that.
“So… I’m safe, right?” - There is no simple answer to that question. Imagine main entrance to your house. Is it burglar-resistant? How tough are the doors itself? How many locks and latches do you have? If the door stopped one thief, will they stop the next one? Better equipped than the previous one?
Long story short - encryption can be implemented in many different ways. I will skip the technical details. Fortunately, there are many websites around that can perform deep analysis of the web server SSL configuration and provide results in a nice way. I list them at the end of the article.
Purpose of this article is to focus on (potential) problems with SSL configuration on web servers that are used by polish customers to access their financial informations, bank accounts and such.
All banks provides trusted & valid Server Keys and Certificates. None of them is vulnerable to popular attacks (like POODLE, BEAST), sometimes they use 64-bit block ciphers, vulnerables to birthday attack (more info) - I guess it’s due to backward compatibility with old web browsers (IE 8 / XP).
However, it would be good to review HTTP headers configuration on web servers. Many banks are still missing
X-XSS-Protection header (fortunately,
Content-Security-Policy is enabled, but what if old web browser does not support CSP?) that enables built-in reflective XSS protection. I also encourage to take a look at
Public-Key-Pins header. This one is used to deliver cryptographic identities that browser should accept from the host. Of course you can trust Certificate Authorities (CAs) in your trust store, delivered with your PC, but what if one gets compromised?
- Qualys SSL Labs: https://www.ssllabs.com/
- Analyse HTTP response headers: https://securityheaders.io/
- [PL] Analiza bezpieczeństwa połączeń HTTPS poszczególnych serwisów bankowości elektronicznych na dzień 21 czerwca 2015 http://www.krystianpiwowarczyk.pl/content/article/show/analiza-bezpieczestwa-pocze-https-poszczeglnych-serwisw-bankowoci-elektronicznych-na-dzie-21-czerwca-2015