When news of the Heartbleed bug in the OpenSSL software library first emerged, numerous online tools sprung up to test whether websites were vulnerable to the bug.
One of these tools is the Qualys SSL Labs server tester, which not only tests for the Heartbleed vulnerability, but also grades the security of web servers.
Qualys rates the certificate, protocol support, key exchange, and cipher strength separately and then gives an overall rating on a scale of A+ to F.
It is therefore possible to see where a site scored poorly (or well) if its grade is low (or high).
The table below shows the Qualys SSL Report summary of various South African sites from banks and online shops to mobile networks and ISPs.
|Domain||Qualys SSL Grade|
|Online banking||Overall rating||Certificate||Protocol Support||Key Exchange||Cipher Strength|
|Banks||Overall rating||Certificate||Protocol Support||Key Exchange||Cipher Strength|
|E-commerce sites||Overall rating||Certificate||Protocol Support||Key Exchange||Cipher Strength|
|Mobile network operators||Overall rating||Certificate||Protocol Support||Key Exchange||Cipher Strength|
|Internet and hosting service providers||Overall rating||Certificate||Protocol Support||Key Exchange||Cipher Strength|
|Other services||Overall rating||Certificate||Protocol Support||Key Exchange||Cipher Strength|
Of some concern is at least some of Standard Bank’s Internet banking servers scoring an F.
In its report, Qualys justifies the grade by saying that Standard Bank’s servers are vulnerable to man-in-the-middle attacks because it supports insecure renegotiation.
However, they do also note in a linked article that the SSL renegotiation vulnerability had not been proven to work with the type of web requests (POST) commonly associated with Internet banking.
Mweb’s root domain and one logon domain (signmein.co.za), and WebAfrica’s dsl.webafrica.co.za site scored F’s because they reportedly support SSL2, which Qualys describes as “obsolete and insecure”.
Between the time of writing and time of publication, Mweb has improved the security on signmein.co.za to a B.
To Mweb and WebAfrica’s credit, both companies reacted quickly to queries from MyBroadband about their SSL ratings and have either fixed, or are in the process of fixing the issues.
“As you can see from the two reports [for mweb.co.za and signmein.co.za] neither site is vulnerable to the Heartbleed attack,” Mweb CEO Derek Hershaw told MyBroadband. “That’s the most important issue.”
Hershaw said that they will be withdrawing support of SSL2 and, once that is done, both servers will get a clean bill of health.
Standard Bank was contacted for comment on the poor rating of its Internet banking servers, but did not provide answers by the time of publication.