The state of UK Energy Suppliers Online Security
Following a quick scan of the state of UK supermarket online security, I have repeated the exercise for the big 6 energy providers in the UK.
Here is a snapshot of some trivial checks taken on the 28th January 2016. I hope that by the time you read this, then the situation has been improved. The checks made were rather simple and I am reporting my findings, not making any suggestions or recommendations.
- Check the SSL server using the freely available Qualys SSL Labs server test.
- See if the site's login form is loaded via HTTP or HTTPS. Troy Hunt explains in his post from 2013, Troy Hunt: Your login form posts to HTTPS, but you blew it when you loaded it over HTTP why this is not a secure strategy.
The findings are in the table below.
Store | SSL Labs Score | HTTP Login Form | SSL Issues |
---|---|---|---|
E.ON | A | No | |
nPower | A- | No | 1 |
British Gas | B | No | 2 |
SSE | C | No | 3 |
EDF | C | Yes | 4 |
Scottish Power | C | Yes | 5 |
SSL Issues
- The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-
- This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.
- The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. There is no support for secure renegotiation.
- The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. There is no support for secure renegotiation.
- The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.
As with the supermarkets, the providers are not all providing the best online secure service practical.