
Bank harrasses user because he tweeted screenshot of their SSL certificate - passepartout
http://ebalaskas.gr/blog/2015/03/13/web-bank-security/
======
spectre256
It's dangerously close to a passive-agressive pitchfork mob, but I propose
that many people start tweeting to greek banks regarding their SSL
configurations. The National Greek Bank, for example, scores an F on the SSL
Labs Test because they are using TLS 1.0 and are vulnerable to POODLE:

[https://www.ssllabs.com/ssltest/analyze.html?d=nbg.gr](https://www.ssllabs.com/ssltest/analyze.html?d=nbg.gr)

their twitter account is:
[https://twitter.com/ibanknbg](https://twitter.com/ibanknbg)

EDIT: The most effective outreach will be friendly and respectful, if anyone
chooses to do this. Also, all the other major greek banks score poorly:

Piraeus Bank Score: F!
[https://www.ssllabs.com/ssltest/analyze.html?d=www.piraeusba...](https://www.ssllabs.com/ssltest/analyze.html?d=www.piraeusbank.gr&s=199.83.134.245)
twitter:[https://twitter.com/skepsouprasina](https://twitter.com/skepsouprasina)

Alpha Bank: B
[https://www.ssllabs.com/ssltest/analyze.html?d=www.alpha.gr&...](https://www.ssllabs.com/ssltest/analyze.html?d=www.alpha.gr&s=193.193.185.72)
twitter: [https://twitter.com/alpha_bank](https://twitter.com/alpha_bank)

Eurobank: Score: F!
[https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr](https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr)
twitter:[https://twitter.com/Eurobank_Group](https://twitter.com/Eurobank_Group)

~~~
AlyssaRowan
Let's be crystal-clear: All of these fail PCI compliance, because they have
RC4 enabled. These sites have no business processing anything, let alone
personal or financial info.

Yes, having RC4 enabled is now an instant PCI compliance fail as it has a die-
die-die RFC and as a result NIST changed it, on request, to a CVE grade above
a 4.0 -
[https://tools.ietf.org/html/rfc7465](https://tools.ietf.org/html/rfc7465) \-
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-25...](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566)
\- web browsers have already started turning it off.

~~~
oasisbob
As an aside, bank websites don't necessarily fall in-scope for PCI.

I worked for a small credit union, and we were beholden to our state auditors,
FFIEC guidance, and the like -- but PCI simply wasn't a thing we worried
about.

~~~
AlyssaRowan
Interesting. I know far, far less about the regulatory side than the practical
side. I gather it's focused mainly on merchants, but the card providers
themselves founded it?

I'm not sure what I can say except not every bank seems to share that view
(although as said in other comments, quite a few banks do indeed have
_paleolithic_ systems in unexpected places, and that tends to extend to their
security practices - I am not able to name any names, but I can wave in the
vague general direction of things which involve VAXen, COBOL and DES-and-I-
don't-mean-3DES, all of which thankfully predate me). But I'm not exactly
familiar with US banking practices (thankfully): did the credit union just not
issue any Visa/Mastercard/etc cards? Huh.

------
madaxe_again
You're all talking about the bank's response - but I actually think his
employer's reaction was worse.

Threatening to fire him for a tweet from a personal account? What Kafkaesque
bullshit is this? Frankly, I'd be taking them to a tribunal - and I'm an
employer. The idea of pulling that kind of shit on anyone fills me with
disgust.

~~~
wodenokoto
"Some guy who is wrong is threatening to beat me up unless I hit you or you
change your tweet"

It's not like the employer said "you wrote an unfriendly tweet now you are
fired!" The bank was threatening the employer with legal action unless action
was taken.

~~~
madaxe_again
Yeah, and any employee with a shred of self respect would tell the bank to go
hang. I've had clients complain about what staff say on social media (not
about clients or work!), I just tell them it's none of their or my business,
and if they really care, get your lawyers in touch.

Nobody has.

------
simonmales
I really hope the bank gets a lot of bad publicity out of this.

Marketing opportunity for other banks to jump on the bandwagon and share there
public keys on social media.

~~~
otakucode
I would sooner expect a bank to accidentally share their private key on social
media. Banks aren't bad at security by accident. They don't have good, solid
security people working for them being held back by management (as some
industries do). Banks take the long view on most things and are ill-prepared
for dealing with something like security, where the situation changes moment
by moment. They are also extremely loathe (more than most industries I would
say) to spend a penny on anything which they can not predict a tangible return
on investment.

Hmm.. with the large number of security firms popping up every day, has anyone
actually done some studies and statistical analysis so that it can be said "If
you save $200,000 this year by not hiring a competent security professional,
there is a 30% chance your bank will lose more than $10 million in either
direct intrusion or public scandal"? That is the sort of thing a banker needs
to hear before he can determine whether it is actually WORTH being safe. And
even then... hiring competent security people is really hard. How is a normal
HR person supposed to be able to judge whether an applicant is competent?

------
WizKid
A friend went through the Swedish banks and ranked them (post in Swedish
[https://friendlybit.com/security/hur-sakra-ar-svenska-
banker...](https://friendlybit.com/security/hur-sakra-ar-svenska-banker/) and
Google translate
[https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...](https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Ffriendlybit.com%2Fsecurity%2Fhur-
sakra-ar-svenska-banker%2F&edit-text=) )

The response he got was the banks starting fixed their problems. He had one
group of banks that he classified as you should stay away from. All those
banks fixed things so they are not longer in that category

~~~
ptaipale
Interestingly, Nordea, which gets an A- in Sweden, still gives an F for their
front page in Finland. So it looks that even if the same bank operates with
the same brandname, the security level may be quite different.

Their internet banking front page domain name has a different environment
which gets a B, but most people go to it via the front page that is still
vulnerable to POODLE and what not.

~~~
silvestrov
Ditto for Denmark:
[https://www.ssllabs.com/ssltest/analyze.html?d=www.netbank.n...](https://www.ssllabs.com/ssltest/analyze.html?d=www.netbank.nordea.dk)

------
some_furry
> Firefox suggests some security concerns in the firefox console on both
> sites. Especially about how weak is sha1 algorithm. Both sites have a 2048
> public cert, the one use TLS1.2 but the other TLS1.0 and one of them have a
> 128bit private key size. You all understand that from a security point of
> view, these things arent best practices. Especially if you are a bank !

128 bits for symmetric key ciphers is actually fine. Especially with AES.

TLS1.0 and SHA1 certificates? I'd expect better.

> The second bank has also a cross site javascript script and that’s for sure
> not a best practice. Again that’s not a security hole. They just pull a
> javascript from their official web page (although a different url/domain
> from their web banking).

Yay, watering hole attack vectors.

~~~
marcosdumay
It's a "128 bits private key", what means it's assymetric. I fully expect it
to be an RSA key, but even for ECC that's at least half the size of something
that could be considered secure.

~~~
schoen
TLS uses several algorithms, almost always both asymmetric and symmetric
algorithms, in every session. For example, my current connection to HN is
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. And that does mean that our underlying
session key is 128 bits, independent of the size of HN's public key (which
turns out to be 2048 bits).

There is a possible argument that a 128-bit AES key and a 2048-bit RSA key are
mismatched, but a 1024-bit RSA key is clearly known to be dangerous now, while
the same is not at all true for a 128-bit AES key.

~~~
marcosdumay
Symmetric encryption does not have the concept of a "private key". A 128 bits
private key in TLS can only vary from almost useless (if it's some ECC
algorithm) to completely useless (in case it's RSA).

Too bad (but understandable) that the article does not give any detail. About
a decade ago, 128 bits RSA keys were widely used (but not recommended
anymore), I wouldn't be surprised to discover a bank didn't change their
security procedures since then.

~~~
some_furry
> Symmetric encryption does not have the concept of a "private key".

In the early days of public key cryptography, the NSA referred to it as "non-
private key cryptography".

Even today, people often refer to symmetric vs asymmetric and private vs
public interchangeably. (Yes, it can cause confusion and you will probably
never see professional cryptographers like Bernstein, Green, Lange, Schwabe,
Schneier, or Wilcox-O'hearn refer to it that way.)

[https://en.wikipedia.org/wiki/Symmetric-
key_algorithm#cite_n...](https://en.wikipedia.org/wiki/Symmetric-
key_algorithm#cite_note-1)

The author had multiple errors; it isn't beyond the limits of intellectual
generosity to assume they meant symmetric key instead of private key.

> A 128 bits private key in TLS can only vary from almost useless (if it's
> some ECC algorithm) to completely useless (in case it's RSA).

128 bit EdDSA would have about the same security as a 64 bit block cipher,
which we would consider _broken_. So I'm in full agreement there.

128 bit RSA? Totally useless.

128 bit AES? Not a concern. Usually you look at the padding, block mode, and
authentication instead.

------
jvehent
Along the same line, there are currently around 4,000 sites in Alexa's top 1
million that only support RC4. Nothing else.

Some of these sites have large user bases too, and it's making it hard to
disable RC4 in Firefox.
[https://bugzilla.mozilla.org/show_bug.cgi?id=1138101](https://bugzilla.mozilla.org/show_bug.cgi?id=1138101)

~~~
walterbell
That list includes Priceline, Orbitz and American Airlines. Hard to believe.

Is there a browser plugin that could report on SSL health in real-time, when
visiting a site?

------
andrewrice
Site seems to be down.

~~~
zo1
Tad ironic seeing as one of the last sentences in the blog post is: "Hope this
blog post stays up for some time." I hope the site is not down because his
domain/hosting got "convinced" by the legal department of the bank.

~~~
steego
It's more than ironic. I'm actually concerned about this guy. It appears he
might be in the cross-hairs of some individuals who are willing to leverage
whatever they have at their disposal to shut him up and maybe make an example
out of him.

------
sandstrom
Someone created a site called https-watch, to list banks, government sites
etc. that aren't using HTTPS properly but should be.

It has a built-in 'tweet to this entity' link, similar to what this guy did by
himself.

Perhaps someone can open a Greek sub-section on the site, with links to these
banks.

[https://httpswatch.com/global](https://httpswatch.com/global)

------
woah
Which bank was it?

~~~
cgtyoder
National Bank of Greece ([https://www.nbg.gr/en](https://www.nbg.gr/en),
@ibanknbg)

~~~
lepht
That's incorrect:

> The first bank contacted almost immediately with me and I respect National
> Bank of Greece for that.

~~~
cgtyoder
What's incorrect?

~~~
lepht
If you read the article, the National Bank of Greece is not the one that
harassed the author/their employer, the unnamed "second bank" did.

~~~
cgtyoder
Interesting - looks like you are correct. Could have sworn it was different
when I first read it!

------
VieElm
I support the author and what the bank did is just absolutely wrong and
outrageous, but I just want to clarify that this is not a freedom of speech
issue. Freedom of speech refers to government restrictions on limiting the
right to voice your opinion. The government wasn't involved and he didn't
legally have to remove the tweet (but I would have removed the tweet as well
if it threatened my job). I totally support the author, but this is not a
freedom of speech problem. Sometimes we limit what we say because there can be
negative consequences that have nothing to do with the government.

I recommend creating an anonymous Twitter account to remove negative pressure
that can affect employment.

~~~
marcosdumay
> The government wasn't involved

About that, when somebody threatens to sue a person and that is a credible
threat, it's because the government is involved.

The minimum guarantee of a democratic legal system is that for an innocent
that phrase isn't a threat. If there is no guarantee, it's not a democratic
system.

~~~
notahacker
Necessary conditions to ensure an innocent person need not feel threatened by
the prospect of litigation include a time, money and irritation-free trial
process and omniscient judges.

Your "minimum guarantee of a democratic legal system" is an impossibility,
unless tort law is altogether abolished, and good luck seeking democratic
approval for that...

~~~
marcosdumay
There are several ways to make it happen in practice (where things are not
boolean).

Imposing penalties to the suing party on stupid cases is one such way. One can
also make the legal system cheaper, make it less irritating (as most of the
irritation is accidental), level the playing field for people against giant
corporations (and, while we are at that, also level for small corporations
against big corporations)... There are probably hundreds of other actions
that'll help, if none are taken, it's a huge sign that a legal system is
already brought.

