TLS Health Report for Bank of Ireland

TLS Health Report for Bank of Ireland

Bank of Ireland operates a relatively small TLS footprint, with 52 certificates identified but only 8 actively in use across 56 hosts and 26 IP addresses. The deployment is highly consolidated around a single CA: DigiCert Ireland Limited, which issued 7 of the 8 active certificates. RSA keys are exclusively used, with no ECDSA adoption noted.

Certificate Lifecycle & Expiry Status

The majority of certificates are in good standing, with only one certificate expiring within the next month. This certificate covers critical services such as autodiscover.boi.com, email.boi.com, and hybrid.boi.com and expires on 2025-11-12. There is one expired certificate (events.boi.com, issued by QuoVadis Limited), which should be revoked or removed from production endpoints.

TLS Version Deployment

The environment is mostly modern, with 12 hosts supporting TLS 1.2 and 9 supporting TLS 1.3. However, legacy protocols are still present, with 4 hosts offering TLS 1.1 and 1 host still allowing TLS 1.0, which may expose the bank to compliance risks under PCI DSS and NIST guidelines.

Cipher Suite Strength

Weak cipher support is limited to a small set of hosts but remains a concern. Findings include:

  • RC4-based ciphers on multiple hosts, including TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5, which are obsolete and vulnerable.
  • 3DES (TLS_RSA_WITH_3DES_EDE_CBC_SHA) on three hosts, exposing the system to the Sweet32 attack.
  • Presence of export-grade ciphers (TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) on at least one host, which should be eliminated immediately as they are considered insecure.
  • ARIA and CAMELLIA ciphers also appear, suggesting outdated cipher configurations.

Key Observations

  • Strong CA Standardization: All active certificates come from DigiCert Ireland Limited, simplifying auditing and chain management.
  • Limited ECDSA Adoption: The absence of ECDSA certificates may impact performance efficiency for clients that support elliptic curve cryptography.
  • Good Renewal Hygiene: No certificates are in the 0–30 day expiry window, but vigilance is needed to avoid recurrence of expired endpoints.
  • Legacy Protocol Risk: TLS 1.0 and TLS 1.1 support should be deprecated to maintain compliance and security best practices.

Recommendations

  1. Disable TLS 1.0 and TLS 1.1 to meet compliance requirements and eliminate downgrade attack risk.
  2. Remove Weak and Export Ciphers from server configurations to prevent exploitation of outdated cryptography.
  3. Phase in TLS 1.3 and ECDSA for better performance and forward secrecy.
  4. Revoke and Remove Expired Certificates to avoid trust warnings and potential abuse.
  5. Continue Monitoring all endpoints for new certificates and unexpected changes, particularly on secondary or rarely used subdomains.

This analysis was conducted using SSLBoard’s comprehensive TLS scanning capabilities, which examine certificate transparency logs and perform live TLS protocol testing across your entire domain infrastructure.