Why Nationwide’s SSL is broken on one of their domains

This is just here to explain clearly to Nationwide what is wrong with their SSL on the domain olb2.nationet.com

If you visit this site in Firefox 37.0.2, you are shown this warning:

Screen Shot 2015-04-27 at 16.26.39

The SSL handshake is failing. Firefox isn’t very descriptive here (should they be?).

The reason the SSL handshake is failing is because Nationwide’s server does not support a cipher which Firefox calls secure. Mozilla pulled support for a number of known insecure or weak ciphers last year, one of which is TLS_RSA_WITH_RC4_128_MD5. However, this is the most secure cipher the olb2.nationet.com site supports.

Qualys’ SSL Labs shows that the security here is poor, with the vast majority of properly configured, modern browsers failing to handshake with the server:

Screen Shot 2015-04-27 at 16.31.05

In addition to this, there are other issues that mean that they get a grade F – not good enough for a bank.

The issue here is not an out-of-date browser. It is an out-of-date server.

 

 

 

One thought on “Why Nationwide’s SSL is broken on one of their domains

Leave a Reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.