Security15.04.2014

SA banks, networks, online shops SSL security rankings

Digital security lock encryption cryptographic keys

When news of the Heartbleed bug in the OpenSSL software library first emerged, numerous online tools sprung up to test whether websites were vulnerable to the bug.

One of these tools is the Qualys SSL Labs server tester, which not only tests for the Heartbleed vulnerability, but also grades the security of web servers.

Qualys rates the certificate, protocol support, key exchange, and cipher strength separately and then gives an overall rating on a scale of A+ to F.

It is therefore possible to see where a site scored poorly (or well) if its grade is low (or high).

The table below shows the Qualys SSL Report summary of various South African sites from banks and online shops to mobile networks and ISPs.

Domain Qualys SSL Grade
Online banking Overall rating Certificate Protocol Support Key Exchange Cipher Strength
netbank.nedsecure.co.za A- 100 90 90 90
ib.absa.co.za B 100 70 90 90
online.fnb.co.za B 100 70 80 90
direct.capitecbank.co.za B 100 70 80 80
encrypt.standardbank.co.za F 100 0 90 90
Banks Overall rating Certificate Protocol Support Key Exchange Cipher Strength
absa.co.za No SSL
capitecbank.co.za A- 100 90 80 90
standardbank.co.za B 100 70 90 90
fnb.co.za B 100 70 80 90
nedbank.co.za C 100 70 40 50
E-commerce sites Overall rating Certificate Protocol Support Key Exchange Cipher Strength
Wantitall A 100 90 90 90
Bidorbuy A- 100 90 80 90
Kalahari B 100 70 90 90
Takealot (secure.takealot.com) B 100 70 80 90
Gumtree C 100 90 40 60
Have2have C 100 90 40 60
OLX No SSL
Mobile network operators Overall rating Certificate Protocol Support Key Exchange Cipher Strength
mtn.co.za A- 100 90 90 90
vodacom.co.za B 100 70 80 90
myvodacom.secure.vodacom.co.za B 100 70 80 90
cellc.co.za B 100 70 80 90
Internet and hosting service providers Overall rating Certificate Protocol Support Key Exchange Cipher Strength
afrihost.com A+ 100 95 90 90
clientzone.afrihost.com A- 100 95 80 90
webafrica.co.za A- 100 90 80 90
dsl.webafrica.co.za F (F) 0 0 80 90
telkom.co.za No SSL
login.telkom.co.za B 100 70 90 90
secureapp.telkom.co.za B 100 70 90 90
cybersmart.co.za B 100 70 80 90
hetzner.co.za B 100 70 80 90
secure.konsoleh.co.za B 100 70 80 90
@lantic (lantic.net) B 100 70 80 90
axxess.co.za C 100 90 40 60
ccp.axxess.co.za C 100 70 40 60
myaccount.mweb.co.za C 100 70 40 60
signmein.co.za (Mweb) B 100 70 100 80
mweb.co.za F 100 0 90 90
Other services Overall rating Certificate Protocol Support Key Exchange Cipher Strength
DStv C 100 70 40 60
Supersport C 100 70 40 60

Of some concern is at least some of Standard Bank’s Internet banking servers scoring an F.

In its report, Qualys justifies the grade by saying that Standard Bank’s servers are vulnerable to man-in-the-middle attacks because it supports insecure renegotiation.

However, they do also note in a linked article that the SSL renegotiation vulnerability had not been proven to work with the type of web requests (POST) commonly associated with Internet banking.

Mweb’s root domain and one logon domain (signmein.co.za), and WebAfrica’s dsl.webafrica.co.za site scored F’s because they reportedly support SSL2, which Qualys describes as “obsolete and insecure”.

Between the time of writing and time of publication, Mweb has improved the security on signmein.co.za to a B.

To Mweb and WebAfrica’s credit, both companies reacted quickly to queries from MyBroadband about their SSL ratings and have either fixed, or are in the process of fixing the issues.

“As you can see from the two reports [for mweb.co.za and signmein.co.za] neither site is vulnerable to the Heartbleed attack,” Mweb CEO Derek Hershaw told MyBroadband. “That’s the most important issue.”

Hershaw said that they will be withdrawing support of SSL2 and, once that is done, both servers will get a clean bill of health.

Standard Bank was contacted for comment on the poor rating of its Internet banking servers, but did not provide answers by the time of publication.

Standard Bank smartphone app security concerns raised

NSA denies exploiting Heartbleed online security flaw

Critical security bug gets SA sites, hosts scrambling

Most malware-ridden hosts in South Africa

Massive security bug may leave SA sites vulnerable

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter