https://httpswatch.nz/ It's not a great look for NZ banks either. On Sat, 4 Nov 2017 at 13:42 Lawrence D'Oliveiro <ldo(a)geek-central.gen.nz> wrote:

Here <http://www.theregister.co.uk/2017/11/03/uk_bank_security_audit/> are the results of an audit on UK banks to check their adherence to various established security practices: * HTTP Strict Transport Security <https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security> * Security Headers <https://securityheaders.io/> * Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP> * avoidance of weak and obsolete encryption (e.g. RC4)

The result: a real mixed bag.

Has anyone done a similar thing for our banks? _______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: https://list.waikato.ac.nz/mailman/listinfo/wlug

On Sat, 4 Nov 2017 13:42:14 +1300, I wrote:

Here <http://www.theregister.co.uk/2017/11/03/uk_bank_security_audit/> are the results of an audit on UK banks to check their adherence to various established security practices ...

Followup <http://www.theregister.co.uk/2017/11/16/bank_security_crypto_reloaded/>: is poor crypto a bad thing? Some say yes, others say no: Martijn Grooten, security researcher and editor of industry journal Virus Bulletin, argued that support of weaker ciphers by banks has "little to no practical impact". By contrast, excluding customers with insecure set-ups would be commercially damaging. "Customers not being able to access online banking because the bank stubbornly insists on strong crypto is a far bigger concern than the crypto being broken," Grooten said. "And rightly so."