Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

Various banks online banking still use TLSv1.0 : what's acceptable?

When scanning various banks online sites from https://www.ssllabs.com/ssltest/  ,
the result indicates they are still using TLSv1.0  (besides 1.1 & 1.2) :

https://internet-banking.dbs.com.sg/IB/Welcome
https://pib.uob.com.sg/PIBLogin/Public/processPreCapture.do?keyId=lpc
https://www.citibank.com.sg/SGGCB/JSO/signon/DisplayUsernameSignon.do

Result for citi:
https://www.ssllabs.com/ssltest/analyze.html?d=www.citibank.com.sg

Thought TLSv1.0 is deprecated as of last Jun/Jul & v1.1 is till mid next year?
Some PT scannners report v1.0 as with BEAST attack vulnerability while
v1.1 has some other vulnerability.

Refer to attached screen which gives the scan output of Citi:
does the green color on TLSv1.2 mean it will be used first & will fallback to
v1.1/1.0 if the browser/client doesn't support it?

If this is a fallback situation, is it secure?
SSLTLScanCiti.png
0
sunhux
Asked:
sunhux
4 Solutions
 
btanExec ConsultantCommented:
The main issue with TLS 1.0 is due to weak cipher and hash (HMAC) used such as DES, MD5 and SHA. Futhermore it should support PFS  that requires DH and EDH instead of RSA.

It will not be secure if server allows the fallback to TLS1.0 due client support. The fallback is susceptible to man in the middle attack. See this review of the various related vulnerabilities.

https://www.contextis.com/resources/blog/manually-testing-ssltls-weaknesses-2016-edition/

Though TLS 1.0 is still widely used as the 'best' protocol by a lot of browsers that are not patched to the very latest version. It suffers from CBC Chaining attacks and Padding Oracle attacks. The latest browsers are not supporting TLSv1.0. So it should only be used after risk analysis and acceptance. Note that PCI DSS 3.1 prohibits use of TLS 1.0 after June 30, 2016.
0
 
sunhuxAuthor Commented:
Thanks  so all those online banking sites are overdue in disabling TLSv1.0?  Or they left it there to support older clients / browsers ?
0
 
Dr. KlahnPrincipal Software EngineerCommented:
Both are true.  Ideally TLS V1.0 should have been disabled as soon as new browsers became available that supported better methods.

But ... in the real world there are still people using Windows 98 machines on dial-up, who will never update their systems or their browsers.  Telling a client "We no longer support your system" is a quick way to lose customers to a bank that permits sessions using any -- or no -- security, but has an internet use agreement that says "If you use outdated software and you lose money, it's not our problem."
0
 
btanExec ConsultantCommented:
Yes, supposedly not to use the TLS 1.0 and not to downgrade to support legacy clients. Reality is that there are still these group of incompatible which you probably have to "let go" otherwise be prepared to face the audit and testing finding to justify this support. Risk measured decision.

There is past NIST paper on the client in which the higher TLS version need to be configured in preference if they are supported at the server, which currently most are mandated to do it - in my environment it has strict rule on this
Version Support

a. The client shall be configured to support TLS version 1.1.
b. The client should be configured to support TLS version 1.2.
c. The client may be configured to support TLS version 1.0.
d. If TLS version 1.0 is supported, the client shall be configured to prefer TLS
1.1 and TLS 1.2 over TLS 1.0.
e. The client shall not be configured to support SSL version 3.0 or earlier.
0
 
LearnctxEngineerCommented:
Yes, TLS1.0 should be disabled. But this is the real world and in the real world while supporting TLS1.0 might not be ideal it is necessary. If you look at the case for Android alone, around ~20% of Android devices either only support TLS1.0 or by default don't have TLS1.1 and TLS1.2 enabled by default (pre-KitKat devices). So what do you do right?
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now