Introduction
Troy Hunt has recently published a blog post, where he analysed a current state of affairs with regards to SSL/TLS support and (in)secure configurations in the Australian banking industry. This is an interesting overview and a great mechanism for raising awareness, which (judging by the updates) has already prompted some banks to make changes and improve their ratings.
I was curious - how would the situation with SSL correlate with another publicly available piece of information - HTTP headers (especially the security related subset). These headers could provide some valuable insights (although in my view in general the impact of SSL misconfiguration could be bigger compared to the presence/absence of a particular header).
So I performed a mini-research, focusing on the same set of Australian banks. I used https://securityheaders.io to simplify the collection of all headers. The headers I was interested in were (group 1):
- Strict-Transport-Security
- Content-Security-Policy
- Public-Key-Pins
- X-Frame-Options
- X-Xss-Protection
- X-Content-Type-Options
When I started analysing captured results I decided to add the following headers into the mix (group 2):
- Server
- X-Powered-By
- X-AspNet-Version
Surprisingly, I haven't observed the 3rd "usual suspect" - x-aspnetmvc-version. Perhaps banks haven't upgraded their web applications to the MVC versions yet?
Also worth mentioning that X-AspNet-Version will only be emitted by the ASP.Net powered application - i.e. this header won't be relevant for other platforms.
All results have been collected in early May 2015 - the situation may have changed since then. It will be interesting to perform periodic checks to observe the dynamics.
All results have been collected in early May 2015 - the situation may have changed since then. It will be interesting to perform periodic checks to observe the dynamics.
Methodology
Once the raw data were captured in a table I started thinking how I could rank these findings. Here's a set of rules I came up with (I'd be very keen to hear suggestions for improvement):
- The initial state - everyone starts with 0 (zero) points - neutral state
- If Strict-Transport-Security is present - add 2 points. HSTS is too good to be ranked equally with the other headers
- If any other header from group 1 is present - add 1 point for each header
- If "Server" header is present
- Deduct 1 point if a full/non-obfuscated name is found (marked red in the table below)
- Otherwise deduct 0.5 points (e.g. "CUA Server" doesn't disclose much and is much more benign compared to "Microsoft-IIS/7.5" - marked as orange)
- If "X-Powered-By" header is present
- Deduct 1 point if a well-known framework is disclosed
- Otherwise deduct 0.5 points (marked as orange)
- If "X-AspNet-Version" header is present - deduct 1 point
- I took a sum for each bank and listed it as a "Score"
- Then I assigned banks to the corresponding groups based on that score
- Green: greater than 0
- Yellow: 0
- Orange: -0.5
- Red: less than -0.5
Results
| Bank | Score |
Strict-Transport-Security
|
Content-Security-Policy
|
Public-Key-Pins
|
X-Frame-Options
|
X-Xss-Protection
|
X-Content-Type-Options
|
Server
|
X-Powered-By
|
X-AspNet-Version
|
|---|---|---|---|---|---|---|---|---|---|---|
| Bank West | 5 | Yes | Yes | No | Yes, SAMEORIGIN | Yes | No | No | No | No |
| CUA | 1.5 | Yes | No | No | No | No | No | Yes, CUA Server | No | No |
| Commonwealth Bank | 1 | Yes | No | No | No | No | No | Yes, Apache/2.2.3 (Red Hat) |
No | No |
| ING Direct | 1 | No | No | No | Yes, SAMEORIGIN | No | No | No | No | No |
| AMP | 0.5 | No | No | No | Yes, SAMEORIGIN | No | No | Yes, IBM_HTTP_Server | No | No |
| St George | 0.5 | No | No | No | Yes, SAMEORIGIN | No | No | Yes, Apache | No | No |
| Bankmecu | 0 | No | No | No | No | No | No | No | No | No |
| Bendigo Bank | 0 | No | No | No | No | No | No | No | No | No |
| Beyond | 0 | No | No | No | No | No | No | No | No | No |
| Greater | 0 | No | No | No | No | No | No | No | No | No |
| Heritage | 0 | No | No | No | No | No | No | No | No | No |
| Macquarie | 0 | No | No | No | No | No | No | No | No | No |
| People's Choice Credit Union | 0 | No | No | No | No | No | No | No | No | No |
| Suncorp | 0 | No | No | No | Yes, SAMEORIGIN | No | No | No | Yes, ASP.NET | No |
| IMB | -0.5 | No | No | No | No | No | No | Yes, Sandstone Framework |
No | No |
| Westpac | -0.5 | No | No | No | No | No | No | No | Yes, Servlet/3.0 | No |
| Newcastle Permanent | -1 | No | No | No | No | No | No | No | Yes, ASP.NET | No |
| ANZ | -2 | No | No | No | No | No | No | Yes, Microsoft-IIS/6.0 |
Yes, ASP.NET | No |
| Bank of Queensland | -2 | No | No | No | No | No | No | No | Yes, ASP.NET | Yes, 2.0.50727 |
| P&N | -2 | No | No | No | No | No | No | Yes, Microsoft-IIS/7.5 |
Yes, ASP.NET | No |
| Teachers Mutual | -3 | No | No | No | No | No | No | Yes, Microsoft-IIS/8.0 |
Yes, ASP.NET | Yes, 4.0.30319 |
Update 1 - 14 June 2015: Bank West has addressed a few issues and contacted me to update the results. A quick check revealed a massive improvement - going from a "-2" score all the way to the top of the leaderboard! Congratulations to the team - thank you for taking time to improve your ranking.
This also gave me an opportunity to review the situation with the other banks from this list. Newcastle Permanent dropped 1 point down for the presence of the X-Powered-By header. ANZ did the same for the Server header (IIS 6, really???). Heritage went 1 point up (removed Server header)
This also gave me an opportunity to review the situation with the other banks from this list. Newcastle Permanent dropped 1 point down for the presence of the X-Powered-By header. ANZ did the same for the Server header (IIS 6, really???). Heritage went 1 point up (removed Server header)
Key findings
- Only Strict-Transport-Security and X-Frame-Options security headers have been observed in the wild
- Surprisingly - clear lack of wider adoption of security headers (group 1) by the banks.
- Only 2 banks out of 21 use HSTS - kudos to CUA and Commonwealth Bank;
- Only 4 banks use X-Frame-Options
- The situation with the group 2 headers was better, most of the banks had none of them. Some banks had several Asp.Net related headers (which took them to the bottom of the list). This situation is especially surprising given how easy it is to remove these headers.
- Weak correlation between SSL and HTTP headers results
- ING Direct is the only bank that has managed to reach the top (green) categories in both tests
And the last point that I would like make - some headers (which are not directly related to security per se) might still leak some useful to the attackers information. This includes:
- Set-Cookie: f5_cspm=[skipped]; - indicates presence of an F5 appliance
- Set-Cookie: citrix_ns_id=[skipped] - indicates presence of a Citrix Netscaler appliance
- Set-Cookie: ASP.NET_SessionId=[skipped]; path=/; HttpOnly - indicates an ASP.Net application even if all other headers (from group 2) have been removed
To summarise - it is a bit disappointing that we don't see a wider adoption of the HTTP security headers by the Australian banking industry. Some of these headers are trivial to implement (e.g. X-Frame-Options) and yet they provide a valuable protection layer.
I would like to encourage everyone reading this blog to get a better understanding of what all of these headers do and to start implementing at least some of these headers on your own web sites. This will make Internet as a whole more secure.
Hi Dmitry,
ReplyDeleteAre you able to run your test again and update result for Bankwest?
URL is https://ibs.bankwest.com.au/bwlogin/rib.aspx
Hi Noli,
DeleteWell done guys - massive improvement. BankWest is now at the top of the leaderboard (with a fairly big margin). Also judging by your high score in Troy's SSL test I can clearly see that you do care about security.
Thank you,
Dmitry