It's dangerously close to a passive-agressive pitchfork mob, but I propose that many people start tweeting to greek banks regarding their SSL configurations. The National Greek Bank, for example, scores an F on the SSL Labs Test because they are using TLS 1.0 and are vulnerable to POODLE:<p><a href="https://www.ssllabs.com/ssltest/analyze.html?d=nbg.gr" rel="nofollow">https://www.ssllabs.com/ssltest/analyze.html?d=nbg.gr</a><p>their twitter account is: <a href="https://twitter.com/ibanknbg" rel="nofollow">https://twitter.com/ibanknbg</a><p>EDIT: The most effective outreach will be friendly and respectful, if anyone chooses to do this. Also, all the other major greek banks score poorly:<p>Piraeus Bank
Score: F! <a href="https://www.ssllabs.com/ssltest/analyze.html?d=www.piraeusbank.gr&s=199.83.134.245" rel="nofollow">https://www.ssllabs.com/ssltest/analyze.html?d=www.piraeusba...</a>
twitter:<a href="https://twitter.com/skepsouprasina" rel="nofollow">https://twitter.com/skepsouprasina</a><p>Alpha Bank: B <a href="https://www.ssllabs.com/ssltest/analyze.html?d=www.alpha.gr&s=193.193.185.72" rel="nofollow">https://www.ssllabs.com/ssltest/analyze.html?d=www.alpha.gr&...</a>
twitter: <a href="https://twitter.com/alpha_bank" rel="nofollow">https://twitter.com/alpha_bank</a><p>Eurobank:
Score: F! <a href="https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr" rel="nofollow">https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr</a>
twitter:<a href="https://twitter.com/Eurobank_Group" rel="nofollow">https://twitter.com/Eurobank_Group</a>
You're all talking about the bank's response - but I actually think his employer's reaction was worse.<p>Threatening to fire him for a tweet from a personal account? What Kafkaesque bullshit is this? Frankly, I'd be taking them to a tribunal - and I'm an employer. The idea of pulling that kind of shit on anyone fills me with disgust.
I really hope the bank gets a lot of bad publicity out of this.<p>Marketing opportunity for other banks to jump on the bandwagon and share there public keys on social media.
A friend went through the Swedish banks and ranked them (post in Swedish <a href="https://friendlybit.com/security/hur-sakra-ar-svenska-banker/" rel="nofollow">https://friendlybit.com/security/hur-sakra-ar-svenska-banker...</a> and Google translate <a href="https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Ffriendlybit.com%2Fsecurity%2Fhur-sakra-ar-svenska-banker%2F&edit-text=" rel="nofollow">https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...</a> )<p>The response he got was the banks starting fixed their problems. He had one group of banks that he classified as you should stay away from. All those banks fixed things so they are not longer in that category
> Firefox suggests some security concerns in the firefox console on both sites. Especially about how weak is sha1 algorithm. Both sites have a 2048 public cert, the one use TLS1.2 but the other TLS1.0 and one of them have a 128bit private key size. You all understand that from a security point of view, these things arent best practices. Especially if you are a bank !<p>128 bits for symmetric key ciphers is actually fine. Especially with AES.<p>TLS1.0 and SHA1 certificates? I'd expect better.<p>> The second bank has also a cross site javascript script and that’s for sure not a best practice. Again that’s not a security hole. They just pull a javascript from their official web page (although a different url/domain from their web banking).<p>Yay, watering hole attack vectors.
Along the same line, there are currently around 4,000 sites in Alexa's top 1 million that only support RC4. Nothing else.<p>Some of these sites have large user bases too, and it's making it hard to disable RC4 in Firefox. <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1138101" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1138101</a>
Someone created a site called https-watch, to list banks, government sites etc. that aren't using HTTPS properly but should be.<p>It has a built-in 'tweet to this entity' link, similar to what this guy did by himself.<p>Perhaps someone can open a Greek sub-section on the site, with links to these banks.<p><a href="https://httpswatch.com/global" rel="nofollow">https://httpswatch.com/global</a>
I support the author and what the bank did is just absolutely wrong and outrageous, but I just want to clarify that this is not a freedom of speech issue. Freedom of speech refers to government restrictions on limiting the right to voice your opinion. The government wasn't involved and he didn't legally have to remove the tweet (but I would have removed the tweet as well if it threatened my job). I totally support the author, but this is not a freedom of speech problem. Sometimes we limit what we say because there can be negative consequences that have nothing to do with the government.<p>I recommend creating an anonymous Twitter account to remove negative pressure that can affect employment.