The Register's recent story about the failure of most UK high street banks to follow web security best practices has provoked a lively debate among security experts.
Tests of six banks revealed sketchy support for HTTP Strict Transport Security (HSTS), a cryptographic technology introduced in October 2012 and designed to protect websites against protocol downgrade attacks and cookie hijacking.
Security researcher Scott Helme and encryption expert Professor Alan Woodward were both adamant that this was a serious failing, not least because updating to support the technology would be straightforward, but other experts aren't so sure.
Martijn Grooten, security researcher and editor of industry journal Virus Bulletin, argued that support of weaker ciphers by banks has "little to no practical impact". By contrast, excluding customers with insecure set-ups would be commercially damaging.
"Customers not being able to access online banking because the bank stubbornly insists on strong crypto is a far bigger concern than the crypto being broken," Grooten said. "And rightly so."
El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?READ MORE
Per Thorsheim, an infosec researcher who founded the PasswordsCon conference, said that most banking fraud relies on planting malware on users' computers or phishing rather than exploiting server-side encryption weaknesses. "Lack of HSTS is laziness, but not really a threat today," he said.
El Reg invited RBS/NatWest (the worst performer) to comment on the poor security ratings of its websites and criticism over the failure to support HSTS. We're yet to receive a substantive response. Independent security experts were, however, able to offer rationales on for banks' apparent tardiness in adopting up-to-date cryptographic technologies.
Software engineer Chris McKee commented: "Change requests probably take about 200 meetings, five levels of management that don't even understand the change and an audit trail nine miles long."
Security consultant Kevin Beaumont said: "Lots use OSes don't support modern standards. PCI delayed implementation of standards for several years for this reason. Even the TLS 1.1 requirement delayed indefinitely now.
"The TLS 1.1 requirement is currently June 2018, however that has been delayed many times. The ironic thing is that POS [Point of Sale] devices are 'exempt' – but the biggest (and probably only) risk."
Professor Alan Woodward, a computer scientist at the University of Surrey, stuck by his assessment in our original article.
"I think you're all violently agreeing: HSTS is not a panacea but not to do it makes little sense, especially for sensitive data such as a bank," he concluded. ®