Australian Internet banking and CDNs
Note: I do not care if their home page is on a CDN what matters is that the banking credentials and financial information is end to end encrypted from the financial institution and to your browser. There are no grantees that this is the case even with TLS. TLS might be terminated earlier e.g by a load-balancer or a CDN. I only checked the login pages since I don't have an account in all of the banks, that would be crazy. I tried to use Whois data and HTML headers to determine CDNs. This method is not foolproof so please take it with a grain of salt
| Hostname | CDN / Cloud Firewall | Uses 3rd party assets without Subresource Integrity | SSL Labs score | comments |
|---|---|---|---|---|
| internetbanking.suncorpbank.com.au | Incapsula | Yes | A | IP is owned by Incapsula |
| banking3.anz.com | B | IP address owned by ANZ but has relation to "SingTel Optus Pty Ltd". Uses lots of type="hidden" fields on login form, |
||
| banking.westpac.com.au | Yes | B | The IP block is registered to westpac with relations to stgeorge.com.au (merger) | |
| ib.nab.com.au | Akamai | Yes | blacklisted | IP is owned by Akamai |
| ibanking.stgeorge.com.au | No | B | The IP block is registered to the financial institution. No 3rd-pary resources | |
| www.ib.boq.com.au | Nextgen Networks | No | B | IP is owned by Nextgen Networks. Two image (gif) requests, one to 127.0.0.1 and one to 138.217.54.116 |
| digital.bankaust.com.au | Yes | B | IP owned by Data Action Pty Ltd Requests to google-analytics.com and userservices.vip.symantec.com | |
| www.my.commbank.com.au | Akamai | Yes | A+ | IP is owned by Akamai |