SHA1 Certificates being used By Finnish financial organizations

Friday, March 6. 2015

I was browsing news feeds and read an article about Danske Bank not using SHA-256 certificate (article in Tivi, in Finnish only) in its online bank. "So what? Big deal, huh. Nobody else does either." was my instant thought. 15 seconds later ... but do they really? Let's investigate.

The reasoning about the article is, that Goole is Gradually sunsetting SHA-1. That is something they announced in September 2014, giving plenty of time for service admins to react. Google's Chrome will display HTTPS using less than SHA-256 signed certificate which is valid past 1st Jan 2017 like this:

Anbody, who takes your security seriously will be displayed like this:

The difference is with the green lock, or lack of it. Most users don't care about the lock anyway, so lot of fuss about nothing.

The bad

Organization URI Expiry Certificate signature Certificate issuer Intemediate certificate issuer(s)
Danske Bank www.danskebank.fi 2017-06-20 SHA-1 GMO GlobalSign  
OP-Pohjola www.op.fi 2015-12-12 SHA-1 Symantec VeriSign
Nordea Pankki solo1.nordea.fi 2016-04-22 SHA-1 VeriSign  
Ålandsbanken online.alandsbanken.fi 2015-07-29 SHA-1 DigiCert  
POP Pankki www.poppankki.fi 2017-03-28 SHA-1 VeriSign  
Luottokunta (Nets) dmp2.luottokunta.fi 2016-03-03 SHA-1 VeriSign  
Paytrail account.paytrail.com 2015-05-15 SHA-1 VeriSign  

The good

Organization URI Certificate signature Certificate issuer Intemediate certificate issuer(s)
S-Pankki www.s-pankki.fi SHA256 Symantec
Class 3 EV SSL CA - G3
(SHA256)

VeriSign
Class 3 Public Primary Certification Authority - G5
(SHA-1)
Aktia Pankki auth.aktia.fi SHA256 Symantec
Class 3 EV SSL CA - G3
(SHA256)

VeriSign
Class 3 Public Primary Certification Authority - G5
(SHA-1)
Säästöpankki www4.saastopankki.fi SHA256 Symantec
Class 3 EV SSL CA - G3
(SHA256)

VeriSign
Class 3 Public Primary Certification Authority - G5
(SHA-1)
Handelsbanken www4.handelsbanken.fi SHA256 Symantec
Class 3 EV SSL CA - G3
(SHA256)		 VeriSign
Class 3 Public Primary Certification Authority - G5
(SHA-1)

The conclusion

Apparently somebody does. :-) As it happens, all the banks having SHA-256 certificates are from same source: Symantec/Verisign. However, most of the institutions haven't had the time to react. There is no point to finger point (pun intended) one of them.

The information was gathered with Gnu TLS command-line tool (gnutls-cli --print-cert).

 

by Jari Turkia in Security at 15:28 | Comments (0) | Share in LinkedIn

Comments
Display comments as (Linear | Threaded)

No comments


Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

Submitted comments will be subject to moderation before being displayed.

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back November '24 Forward
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License