Some of you may already know about our sweet little tool SSLswitch which analyzes the top 1000 global sites and brands for SSL migration as well as SSL grade.

We recently came across one large financial institution that received a very poor SSL grade – an ‘M’ grade! See the report below:



As you can see above, the main reason they get this grade is due to a warning of “Inconsistent server configuration”.

Here are the other top banks for comparison:

The reason you see a ‘C’ grade above is because at the time of the first report, they were serving a different SSL certificate.

After discussing with several colleagues, I decided I should tweet the screenshot at them with a powerful message.



If you’d like to raise some awareness, feel free to Retweet or Favorite the message. There’s no reason a top bank like Citibank can’t have better domain level security when the cost/benefit ratio is so high.

After the latest celeb leaks scandal, you’d expect more companies to take note of higher grade security, especially banks.

Update: Received a reply



Is that really the best they could do to address this concern?

My reply:

@AskCiti it’s not my issue, it’s yours and your customers concern. Luckily, I bank elsewhere. Expected somewhat of another response! — Jonathan Tavarez (@jon_tavarez) September 10, 2014

Update #2 (Next day) – Looks like this article got Citibank’s attention thanks to Reddit’s /r/privacy, Hacker News, and everyone else who tweeted, favorited, or somehow has helped spread the message!



Update #3 (several hours later) – They’re still messing around with the SSL certificates and the grades seem to have been swapped. They are now getting the initial “inconsistent configuration” error.

Update #4 – Citigroup site traffic

Update #5 (10/24/2014) – Citigroup manages to upgrade security grade on one server, still below average