While working on my latest video (https://www.agilicus.com/risk-vs-reach), I came across this bank, www.surugabank.co.jp.
- Uses HTTP by default? Check.
- No Content-Security-Policy? Check
- No Secure Cookies for Session? Check
- No HTTP Strict Transport Security? Check
- No XSS protection? Check
- Uses RC4 for cipher? Check
- TLS1.0 and 1.1? Check
- No Forward Secrecy? Check
- Poodle? Check
Is this a real bank? Or some fake page to trap security investigators? It does seem like it is the investor relations and corporate site of a real bank, one which is not instilling much confidence in me.
Oh yeah, my new video. Its at the bottom (and I go through some more detail on the associated blog post on my company blog). Please consider subscribing to the YouTube channel. Or better yet, follow the company on LinkedIn, it helps a lot!