Banks
In previous post I wrote about
possibility of decryption SSL communication by trusted certificate authority.
I also mentioned about Certum and Asseco. I started looking deeper into that
and I found out that my bank uses more certificates. On the main page issuer
is Certum (Unizeto) but on side used to log into a bank account is used other certificate.
I’ve been thinking about it and the main question is: which certs are used and which are crucial? So I will check it and make a list of all banks from Poland according to wikipedia page (warning: polish language). After that I might say something more about security. So, let’s find out more.
Technics
From mentioned page I took list of polish banks and reduced it using this criterion:
- bank has to have web page which allows log in into an account,
- I use links which follow to log in part of service not just main page.
I decided to focus on authentication pages because they are critical if we think about bank security.
To gather data about certs I use simple method:
openssl s_client -connect <BANK_PAGE_HERE>:443
From a result we are interested:
- issuer of certificate, line starts with
issuer=, - country of issuer, also part of
issuer=, - certificate, to get object identifier (OID) required to check Extended Validation (EV).
Last part sounds terribly, but it’s easy to obtain. We just process output of:
openssl s_client -connect <BANK_PAGE_HERE>:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout
and take value of Policy. If present more than one policy I collect all of them. Example of OID: 2.16.840.1.113733.1.7.23.6.
To find out what that magic numbers mean I use service oid-info.com to extract data.
Data
Raw data looks like this listed under. I presented name of banks and their links not because it’s an advert. With that information you can verify my results. Data are sorted alphabetically by name of bank.
| bank | login page | issuer | OID | EV |
|---|---|---|---|---|
| Alior Bank | login.aliorbank.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Extended Validation SHA256 SSL CA | 2.23.140.1.1 2.16.840.1.113733.1.7.23.6 | YES |
| Bank BGŻ BNP Paribas | login.bgzbnpparibas.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 | 2.16.840.1.113733.1.7.23.6 2.23.140.1.1 | YES |
| Bank BPH | online.bph.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Extended Validation SHA256 SSL CA | 2.16.840.1.113733.1.7.23.6 2.23.140.1.1 | YES |
| Bank Gospodarstwa Krajowego | zleceniaplatnosci.bgk.pl | issuer=/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Extended Validation CA SHA2 | 1.2.616.1.113527.2.5.1.1 | NO |
| Bank Millennium | bankmillennium.pl | issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SHA256 SSL CA | 1.3.6.1.4.1.14370.1.6 2.23.140.1.1 | YES |
| Bank Ochrony Środowiska | bosbank.pl | issuer=/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Organization Validation CA SHA2 | 1.2.616.1.113527.2.5.1.2 | NO |
| Bank Pocztowy | pocztowy.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Extended Validation SHA256 SSL CA | 2.16.840.1.113733.1.7.23.6 2.23.140.1.1 | YES |
| Bank Zachodni WBK | centrum24.pl | issuer=/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M | 2.16.840.1.114028.10.1.2 2.23.140.1.1 | YES |
| Citibank Europe | citibankonline.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 | 2.23.140.1.1 2.16.840.1.113733.1.7.23.6 | YES |
| Credit Agricole Bank Polska | e-bank.credit-agricole.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 | 2.16.840.1.113733.1.7.23.6 2.23.140.1.1 | YES |
| Deutsche Bank Polska | dbeasynet.deutschebank.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Extended Validation SHA256 SSL CA | 2.23.140.1.1 2.16.840.1.113733.1.7.23.6 | YES |
| DNB Bank Polska | mojefinanse.dnb.pl | issuer=/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G3 | 2.16.840.1.113733.1.7.48.1 2.23.140.1.1 | YES |
| Euro Bank | online.eurobank.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 | 2.16.840.1.113733.1.7.23.6 2.23.140.1.1 | YES |
| Getin Bank | secure.getinbank.pl | issuer=/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G3 | 2.16.840.1.113733.1.7.48.1 2.23.140.1.1 | YES |
| HSBC Bank Polska | www2.secure.hsbcnet.com | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 | 2.16.840.1.113733.1.7.23.6 | YES |
| Idea Bank | secure.ideabank.pl | issuer=/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Extended Validation CA SHA2 | 1.2.616.1.113527.2.5.1.1 | NO |
| ING Bank Śląski | login.ingbank.pl | issuer=/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M | 2.16.840.1.114028.10.1.2 2.23.140.1.1 | YES |
| mBank | online.mbank.pl | issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA | 2.16.840.1.114412.2.1 2.23.140.1.1 | YES |
| Nest Bank | online.nestbank.pl | issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SHA256 SSL CA | 1.3.6.1.4.1.14370.1.6 2.23.140.1.1 | YES |
| PKO Bank Polski SA | www.ipko.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 | 2.16.840.1.113733.1.7.23.6 2.23.140.1.1 | YES |
| Plus Bank | plusbank24.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Extended Validation SHA256 SSL CA | 2.16.840.1.113733.1.7.23.6 2.23.140.1.1 | YES |
| Raiffeisen Polbank | moj.raiffeisenpolbank.com | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 | 2.16.840.1.113733.1.7.23.6 | YES |
| Santander Consumer Bank | online.santanderconsumer.pl | issuer=/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2014 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1M | 2.16.840.1.114028.10.1.2 2.23.140.1.1 | YES |
| Toyota Bank Polska | konto.toyotabank.pl | issuer=/C=US/O=thawte, Inc./CN=thawte Extended Validation SHA256 SSL CA | 2.16.840.1.113733.1.7.48.1 2.23.140.1.1 | YES |
| Volkswagen Bank Polska | login.vwbankdirect.pl | issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 | 2.16.840.1.113733.1.7.23.6 2.23.140.1.1 | YES |
And one more view on the data. From my point of view more important. Data are sorted by number of secured banks:
| issuer | issuer country | number of secured banks |
|---|---|---|
| Symantec Corporation | US | 13 |
| Entrust | US | 3 |
| thawte | US | 3 |
| Unizeto Technologies S.A. | PL | 3 |
| GeoTrust Inc. | US | 2 |
| DigiCert Inc | US | 1 |
Conclusions
First, I was a little surprised when I saw result. I expected more banks supported by polish issuer Unizeto Technologies S.A.
Let’s start from bad things, even ridiculous.
One bank listed above uses strange url address when you wish to see your account. It redirects you to another domain which doesn’t look like a page of a bank. It has EV with name of the bank but I was so confused when I saw it first time.
Each bank secured by Unizeto Technologies S.A doesn’t have EV. What does it mean for a customer? When you visit
that page you see only information that it uses SSL, but there is no information about company (bank).
Why I complain about that? Many months ago started Let’s encrypt, the idea is simple – free encryption
for everyone. Cert is recognized by main browsers and usage of it is still growing up. It’s a lofty
goal but it also has some consequences. Other issuers start panic because they sell certs and from obvious reason
profit goes down. As well, how you can expect, quality of service falling down. Not so long time ago Google and Symantec
Corporation had small argue about certs. In other words, it’s easy to miss man in the middle attack
when you only check that page has a lock. Right now it only means – encrypted layer – but it doesn’t mean secure.
Most of issuers come from US. We have here also foreign banks which have branches, departments in Poland and how we can see we didn’t catch other countries. Certainly probe was very small but I suppose that we may say something about trend. If we back to main thread of this post we found out that: most of banks in Poland uses US SSL issuers. And again we have some new food for thought. Is it good or is it bad? The answer I suppose is: it depands.