Here’s a short survey I have done on the levels of encryption employed by UK banks for their online banking systems, and whether they use EV (extended validation) security certificates.
Ideally, sites such as those that deal with money should be using the strongest encryption available (256-bit AES) and use an EV certificate (the green bar) to allow the user to verify that the site isn’t a hoax.
|Bank name||Bit strength||EV?|
|Lloyds TSB||256-bit AES||No|
|Alliance & Leicester||128-bit RC4||No|
|Co-operative Bank||128-bit RC4||No|
All tests were carried out on Firefox 3 Beta 5 running on Windows, and data is from the login screens only, not actual online banking sessions.
The test results are slightly concerning. Though RC4 is largely safe, there are a growing number of attacks used against it, especially when used for securing WEP wireless networks. AES, on the other hand, has fewer known flaws, but it should be in wider use.
The lack of sites with EV certificates is also surprising, particularly as phishing is a growing problem and all of the sites listed here have been targeted in emails that I have seen. Only two sites have them and they are owned by the same parent company and use the same domain.