Banks of Armenia: SSL/TLS implementation in on-line banking platforms

Online banking in Armenia: SSL reports.
All tests done by Qualis SSL Labs test


Best

• ACBA online banking - test result - Rating A

• BTA online banking - test result - Rating A

• Converse Bank online banking  test result - Rating A

• Inecobank online banking - test result - Rating A

• ProCredit Bank online banking - test result - Rating A

• ArmSwissBank online banking - test result (2nd IP) - Rating A-

The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-

Good

• ArCa virtual card - test result - Rating B

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.   

This server accepts the RC4 cipher, which is weak. Grade capped to B.  

• Ameriabank online banking - test result - Rating B

Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
This server accepts the RC4 cipher, which is weak. Grade capped to B.

• Byblos Bank Armenia online banking - test result - Rating B

This server accepts the RC4 cipher, which is weak. Grade capped to B. 

• HSBC online banking - test result - Rating B

Intermediate certificate has a weak signature. Upgrade to SHA2 as soon as possible to avoid browser warnings. 

This server accepts the RC4 cipher, which is weak. Grade capped to B.

• ArmBusinessBank online banking ֊ test result (2nd IP) Rating B

This server accepts the RC4 cipher, which is weak. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.

Good - 

• Anelik Bank online banking - test result - Rating C

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. 

• Areximbank online banking - test result - Rating C

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.

• Ararat Bank online banking - test results - Rating C

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.

Worst

• Armenian Development Bank online banking - test result (2nd IP) - Rating F

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server uses SSL 3, which is obsolete and insecure. Grade capped to B.

• Prometey Bank online banking - test result - Rating F

This server supports SSL 2, which is obsolete and insecure. Grade set to F.

This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F.

• VTB Armenia online banking - test result - Rating F

"This server supports SSL 2, which is obsolete and insecure. Grade set to F"
This server uses SSL 3, which is obsolete and insecure. Grade capped to B.

• Unibank online banking  test result (2nd IP) Rating F

This server supports SSL 2, which is obsolete and insecure. Grade set to F.

This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F.   

This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F. 

Specific

• Ardshinbank online banking (only for business, for individuals they transfering clients to Arca.am)   The bank providing specific sertificates for clients to reach the server. 

Unknown

• Armeconombank impossible to check because system is using specific :8083 port for login page 

Out of Galaxy

Couldnt find any information about online banking from ArtsakhBank. If you have any information do not hasitate to contact me.