Rss Feed
Tweeter button
Facebook button
Technorati button
Reddit button
Myspace button
Linkedin button
Webonews button
Delicious button
Digg button
Flickr button
Stumbleupon button
Newsvine button

Changes to the NT Service API

By , February 3, 2018 10:25 am

All of our Validator tools have an NT Service API.

We’ve just made some changes to the NT Service API. This article documents those changes and why we made them.

The changes to the NT Service API, break the existing API behaviour, and improve the existing API behaviour.

If you are using the NT Service API, you should read this article.

For the purposes of this article I’m going to describe the NT Service API for C++ Memory Validator. The changes apply to the NT Service APIs for each C++ Validator tool, the only thing that is different is the function name prefix of svlBVStub_, svlCVStub_, svlMVStub_, svlPVStub_, svlTVStub_. If you can’t directly use the NT Service API due to compiler/linker issues, please consult the documentation for your Validator to see an alternative way of getting the same result.

Changes to the API

  • We changed the name of an enumeration and extended the values in the enumeration.
  • We split some functions into two parts so that they could be reused with other functions to achieve a better result.
  • We added some debugging functions to help you debug any failures when using the API.

SVL_SERVICE_ERROR

The SVL_ERROR enumeration has been renamed to SVL_SERVICE_ERROR.

The definition for SVL_SERVICE_ERROR is now in it’s own include file svlServiceError.h rather than defined in the NT Service API header file (svlMVStubService.h for C++ Memory Validator).

typedef enum _svlServiceError
{
   SVL_OK,                              // Normal behaviour
   SVL_ALREADY_LOADED,                  // Stub DLL already loaded into service
   SVL_LOAD_FAILED,                     // Failed to load stub DLL into service
   SVL_FAILED_TO_ENABLE_STUB_SYMBOLS,   // Loaded DLL, but failed to enable stub symbols because couldn't find function
   SVL_NOT_LOADED,                      // Couldn't unload DLL because DLL not loaded
   SVL_FAIL_UNLOAD,                     // Couldn't unload DLL because couldn't find function
   SVL_FAIL_TO_CLEANUP_INTERNAL_HEAP,   // Couldn't get the internal stub heap and thus couldn't clean it up
   SVL_FAIL_MODULE_HANDLE               // Couldn't get the stub DLL handle so couldn't continue
   SVL_FAIL_SETSERVICECALLBACK,         // Couldn't call the set service callback
   SVL_FAIL_COULD_NOT_FIND_ENTRY_POINT, // Couldn't find the DLL entry point to start the validator
   SVL_FAIL_TO_START                    // Failed to start the Validator
} SVL_SERVICE_ERROR;

Split functionality

The previous implementation of svlMVStub_LoadMemoryValidator() and svlMVStub_LoadMemoryValidator6432() would load the Validator DLL, then start the Validator profiling the service.

The new implementation of svlMVStub_LoadMemoryValidator() and svlMVStub_LoadMemoryValidator6432() just loads the Validator DLL. It does not start the Validator profiling the service.

The reason for this change is that we wanted to allow the ability to set a service manager callback so that the service control manager could be informed about a long running instrumentation phase as the Validator is started. This is important because a delay of more than 10 seconds will cause the service control manager to kill the service.

To set the service callback call the svlMVStub_SetServiceCallback() function.

Then start the Validator with svlMVStub_StartMemoryValidator().

Loading, Starting, Unloading the Validator

To control the loading, starting and unloading of the Validator into the service, use these functions.

extern "C" SVL_SERVICE_ERROR svlMVStub_LoadMemoryValidator();

extern "C" SVL_SERVICE_ERROR svlMVStub_LoadMemoryValidator6432();

extern "C" SVL_SERVICE_ERROR svlMVStub_StartMemoryValidator();

extern "C" SVL_SERVICE_ERROR svlMVStub_UnloadMemoryValidator();

extern "C" SVL_SERVICE_ERROR svlMVStub_SetServiceCallback(serviceCallback_FUNC callback,
                                                          void*                userParam);

svlMVStub_LoadMemoryValidator

extern "C" SVL_SERVICE_ERROR svlMVStub_LoadMemoryValidator();

To load the Validator DLL into a 32 bit service when you are working with a 32 bit Validator, or to load the Validator DLL into a 64 bit service when you are working with a 64 bit Validator, use svlMVStub_LoadMemoryValidator().

svlMVStub_LoadMemoryValidator6432

extern "C" SVL_SERVICE_ERROR svlMVStub_LoadMemoryValidator6432();

To load the Validator DLL into a 32 bit service when you are working with a 64 bit Validator, use svlMVStub_LoadMemoryValidator6432().

svlMVStub_SetServiceCallback

extern "C" SVL_SERVICE_ERROR svlMVStub_SetServiceCallback(serviceCallback_FUNC callback,
                                                          void*                userParam);

Once you have successfully loaded the Validator DLL you can setup a service callback so that the service control manager can be kept updated during the process of starting the Validator.

When a service is starting, Windows requires the service to inform the Service Control Manager (SCM) that is starting at least every ten seconds. Failure to do so results in Windows concluding that the service has failed to start, and the service is terminated. Instrumenting your service may take more than 10 seconds, depending on the complexity and size of your service.

The solution is for the Validator to periodically call a user supplied callback from which you can regularly inform the SCM of the appropriate status.

Here is an example callback which ignores the userParam.

   void serviceCallback(void   *userParam)
   {
       static DWORD dwCheckPoint = 1;
   
       ssStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
       ssStatus.dwServiceSpecificExitCode = 0;

       ssStatus.dwControlsAccepted = 0;
      
       ssStatus.dwCurrentState = dwCurrentState;
       ssStatus.dwWin32ExitCode = dwWin32ExitCode;
       ssStatus.dwWaitHint = dwWaitHint;
      
       ssStatus.dwCheckPoint = dwCheckPoint++;
      
       // Report the status of the service to the service control manager.

       return SetServiceStatus(sshStatusHandle, &ssStatus);
   }

svlMVStub_StartMemoryValidator

extern "C" SVL_SERVICE_ERROR svlMVStub_StartMemoryValidator();

Once you have successfully loaded the Memory Validator DLL you can start the Validator inspecting the service by calling svlMVStub_StartMemoryValidator().

svlMVStub_UnloadMemoryValidator

extern "C" SVL_SERVICE_ERROR svlMVStub_UnloadMemoryValidator();

To unload the Validator DLL from your service call svlMVStub_UnloadMemoryValidator(), do not call FreeLibrary(). svlMVStub_UnloadMemoryValidator() shuts down various communications threads and removes any hooks that the Validator may have installed.

Debugging functions

We have added the following debugging functions to the NT Service API.

Before using these functions you must first set the log file name, otherwise the other debugging functions will do nothing.

The log file is opened for each write to the log file then closed afterwards. As such these log file functions are slow. Do not use these functions in any performance sensitive task. They are intended to allow you get debugging information out of a service when you’re trying to work out why something isn’t working, should you have problems.

extern "C" void svlMVStub_setLogFileName(const wchar_t* fileName);

extern "C" void svlMVStub_deleteLogFile();

extern "C" void svlMVStub_writeToLogFileA(const char* text);

extern "C" void svlMVStub_writeToLogFileW(const wchar_t* text);

extern "C" void svlMVStub_writeToLogFile(SVL_SERVICE_ERROR errCode);

extern "C" void svlMVStub_writeToLogFileLastError(DWORD errCode);

extern "C" void svlMVStub_dumpPathToLogFile();

svlMVStub_setLogFileName

To use any of the following logging functions you first need to set the name of the filename used for logging.
Setting this filename also sets the filename used by some of these API functions – you will find additional logging data from those functions that will help debug any issues with the service.

extern "C" void svlMVStub_setLogFileName(const wchar_t* fileName);

svlMVStub_deleteLogFile

extern "C" void svlMVStub_deleteLogFile();

This function deletes the log file.

svlMVStub_writeToLogFileA

extern "C" void svlMVStub_writeToLogFileA(const char* text);

Call this function to write a standard ANSI character string to the log file.

svlMVStub_writeToLogFileW

extern "C" void svlMVStub_writeToLogFileW(const wchar_t* text);

Call this function to write a unicode character string to the log file. The characters are cast to ANSI prior to writing. As such you can’t write Korean to the log file. This is simply a convenience function to write wide characters as simply as ANSI characters.

svlMVStub_writeToLogFile

extern "C" void svlMVStub_writeToLogFile(SVL_SERVICE_ERROR errCode);

Call this function to write a human readable description of the SVL_SERVICE_ERROR error code to the log file.

svlMVStub_writeToLogFileLastError

extern "C" void svlMVStub_writeToLogFileLastError(DWORD errCode);

Call this function to write a human readable description of the Windows error code to the log file.

svlMVStub_dumpPathToLogFile

extern "C" void svlMVStub_dumpPathToLogFile();

Call this function to write the contents of the PATH environment variable to the log file. This can be useful if you want to know what the search path is when trying to debug why a DLL wasn’t found during an attempt to load the Validator DLL.

NT Service API for each Validator

C++ Bug Validator

extern "C" SVL_SERVICE_ERROR svlBVStub_LoadBugValidator();

extern "C" SVL_SERVICE_ERROR svlBVStub_LoadBugValidator6432();

extern "C" SVL_SERVICE_ERROR svlBVStub_StartBugValidator();

extern "C" SVL_SERVICE_ERROR svlBVStub_UnloadBugValidator();

extern "C" SVL_SERVICE_ERROR svlBVStub_SetServiceCallback(serviceCallback_FUNC callback,
                                                          void*                userParam);

// debugging functions

extern "C" void svlBVStub_setLogFileName(const wchar_t* fileName);

extern "C" void svlBVStub_deleteLogFile();

extern "C" void svlBVStub_writeToLogFileA(const char* text);

extern "C" void svlBVStub_writeToLogFileW(const wchar_t* text);

extern "C" void svlBVStub_writeToLogFile(SVL_SERVICE_ERROR errCode);

extern "C" void svlBVStub_writeToLogFileLastError(DWORD errCode);

extern "C" void svlBVStub_dumpPathToLogFile();

C++ Coverage Validator

extern "C" SVL_SERVICE_ERROR svlCVStub_LoadCoverageValidator();

extern "C" SVL_SERVICE_ERROR svlCVStub_LoadCoverageValidator6432();

extern "C" SVL_SERVICE_ERROR svlCVStub_StartCoverageValidator();

extern "C" SVL_SERVICE_ERROR svlCVStub_UnloadCoverageValidator();

extern "C" SVL_SERVICE_ERROR svlCVStub_SetServiceCallback(serviceCallback_FUNC callback,
                                                          void*                userParam);

extern "C" void svlCVStub_setLogFileName(const wchar_t* fileName);

extern "C" void svlCVStub_deleteLogFile();

extern "C" void svlCVStub_writeToLogFileA(const char* text);

extern "C" void svlCVStub_writeToLogFileW(const wchar_t* text);

extern "C" void svlCVStub_writeToLogFile(SVL_SERVICE_ERROR errCode);

extern "C" void svlCVStub_writeToLogFileLastError(DWORD errCode);

extern "C" void svlCVStub_dumpPathToLogFile();

C++ Memory Validator

extern "C" SVL_SERVICE_ERROR svlMVStub_LoadMemoryValidator();

extern "C" SVL_SERVICE_ERROR svlMVStub_LoadMemoryValidator6432();

extern "C" SVL_SERVICE_ERROR svlMVStub_StartMemoryValidator();

extern "C" SVL_SERVICE_ERROR svlMVStub_UnloadMemoryValidator();

extern "C" SVL_SERVICE_ERROR svlMVStub_SetServiceCallback(serviceCallback_FUNC callback,
                                                          void*                userParam);

extern "C" void svlMVStub_setLogFileName(const wchar_t* fileName);

extern "C" void svlMVStub_deleteLogFile();

extern "C" void svlMVStub_writeToLogFileA(const char* text);

extern "C" void svlMVStub_writeToLogFileW(const wchar_t* text);

extern "C" void svlMVStub_writeToLogFile(SVL_SERVICE_ERROR errCode);

extern "C" void svlMVStub_writeToLogFileLastError(DWORD errCode);

extern "C" void svlMVStub_dumpPathToLogFile();

C++ Performance Validator

extern "C" SVL_SERVICE_ERROR svlPVStub_LoadPerformanceValidator();

extern "C" SVL_SERVICE_ERROR svlPVStub_LoadPerformanceValidator6432();

extern "C" SVL_SERVICE_ERROR svlPVStub_StartPerformanceValidator();

extern "C" SVL_SERVICE_ERROR svlPVStub_UnloadPerformanceValidator();

extern "C" SVL_SERVICE_ERROR svlPVStub_SetServiceCallback(serviceCallback_FUNC callback,
                                                          void*                userParam);

extern "C" void svlPVStub_setLogFileName(const wchar_t* fileName);

extern "C" void svlPVStub_deleteLogFile();

extern "C" void svlPVStub_writeToLogFileA(const char* text);

extern "C" void svlPVStub_writeToLogFileW(const wchar_t* text);

extern "C" void svlPVStub_writeToLogFile(SVL_SERVICE_ERROR errCode);

extern "C" void svlPVStub_writeToLogFileLastError(DWORD errCode);

extern "C" void svlPVStub_dumpPathToLogFile();

C++ Thread Validator

extern "C" SVL_SERVICE_ERROR svlTVStub_LoadThreadValidator();

extern "C" SVL_SERVICE_ERROR svlTVStub_LoadThreadValidator6432();

extern "C" SVL_SERVICE_ERROR svlTVStub_StartThreadValidator();

extern "C" SVL_SERVICE_ERROR svlTVStub_UnloadThreadValidator();

extern "C" SVL_SERVICE_ERROR svlTVStub_SetServiceCallback(serviceCallback_FUNC callback,
                                                          void*                userParam);

extern "C" void svlTVStub_setLogFileName(const wchar_t* fileName);

extern "C" void svlTVStub_deleteLogFile();

extern "C" void svlTVStub_writeToLogFileA(const char* text);

extern "C" void svlTVStub_writeToLogFileW(const wchar_t* text);

extern "C" void svlTVStub_writeToLogFile(SVL_SERVICE_ERROR errCode);

extern "C" void svlTVStub_writeToLogFileLastError(DWORD errCode);

extern "C" void svlTVStub_dumpPathToLogFile();

List of UK stock trading websites that are not secure by default

By , December 19, 2017 12:06 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

I thought it would be interesting to look at each bank in the UK to see if when you visit their company homepage, is that secure by default? That is, is the page loaded by HTTPS? There are more tests than this that you could do, but that’s the baseline. If they can’t meet that then the other tests are meaningless.

Some banks provide the website in both http and https versions. This is bad practice. If someone visits the website as http then the customer should be served the https version of the page.

Also please note, these test results are for a desktop computer visiting the website. A mobile phone may well get a different experience. In other words desktop visitors may get a secure site, but mobile visitors might not. Or vice versa.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Dual The site can be loaded via http, or via https.
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 66 stock trading websites, most of them based in the UK. We found 20 stock trading websites that did not have a secure home page (not https or did have https with an invalid security certificate). That is 30% of stock trading websites have security vulnerabilities.

Stock Trader Secure Home Page
Alliance Trust Saving Yes https://atonline.alliancetrust.co.uk/atonline/login.jsp
ANZ Yes https://shareinvesting.anz.com/home.aspx
Angel Broking No http://www.angelbroking.com/online-share-trading
Bank of Scotland Yes https://www.bankofscotland.co.uk/
Barclays Yes https://www.smartinvestor.barclays.co.uk/campaign/investment-account.html
Barclays Trading Hub Yes https://www.barclaystradinghub.co.uk/home/what-is-cfd-trading/spread-trading-versus-contracts-for-difference.html
Beaufort Securities Yes https://www.beaufortsecurities.com/online-share-dealing-t-14
Belforfx No http://bonus.belforfx.com
Broker Direct Yes https://www.brokerdirect.co.uk/News/ShareTradingNew.aspx
Charles Schwab No http://www.schwab.co.uk/public/schwab-uk-en/us-investing
Charles Stanley Direct Yes https://www.charles-stanley-direct.co.uk
Citi Yes https://www.citibank.co.uk/personal/equities.do
City Index Yes https://www.cityindex.co.uk/share-trading/
CMC Markets Yes https://www.cmcmarkets.com/en-au/markets-shares
Computershare Yes https://www.computershare.trade/
Degiro Yes https://www.degiro.co.uk/
Digital Look No http://www.digitallook.com
Direct Market Touch Yes https://www.directmarkettouch.com/
Etoro Yes https://www.etoro.com/
Easy Share Trading Yes https://easysharetrading.co.uk/stocks-and-shares-courses/
ETrade Yes https://us.etrade.com/home
ETX Capital Yes https://www.etxcapital.co.uk/equities-trading
Equiniti share view No http://www.shareview.co.uk/4/Info/Portfolio/Default/en/Home/Pages/Home.aspx
Fair Investment Company No http://www.fairinvestment.co.uk/uk_share_trading.aspx
Fantasy Stock Exchange No http://www.fantasystockexchange.biz/
FCMB Group Plc No http://fcmbgroup.com/share-trading-policy
First Direct No http://www1.firstdirect.com/1/2/savings-and-investments/sharedealing
Fortrade Yes https://www.fortrade.com/
Free Trade Yes https://freetrade.io/
FxPro Yes https://www.fxpro.co.uk/trading/shares
Get Stocks Yes https://getstocks.com
Halifax Yes https://www.halifax.co.uk/sharedealing/our-accounts/share-dealing-account/Default.asp
Hargreaves Lansdown No http://www.hl.co.uk/investment-services/fund-and-share-account
HSBC Yes https://investments.hsbc.co.uk/product/9/sharedealing
IG Yes https://www.ig.com/uk/shares
Interactive investor No http://www.iii.co.uk/
Internaxx Yes https://www.internaxx.com/
iDealing Yes https://www.idealing.com/en/index
iWeb No http://www.iweb-sharedealing.co.uk/share-dealing-home.asp
Lloyds Bank Yes https://www.lloydsbank.com/share-dealing/share-dealing-account.asp
London Capital Group Yes https://www.lcg.com/uk/
London South East No http://www.lse.co.uk/share-trading/
Natwest Invest Yes https://personal.natwest.com/personal/investments/natwest_invest/natwest-invest.html
Plus 500 Yes https://www.plus500.co.uk/Trading/Stocks
Redmayne Bentley Yes https://www.redmayne.co.uk/stockbroking
Religare broking No http://www.religareonline.com/
RHB Trade Smart Yes https://rhbtradesmart.com/
Saga share direct Yes http://www.sagasharedirect.co.uk/
Saxo Capital Markets Yes https://www.home.saxo/en-gb
Self Trade Yes https://selftrade.co.uk/
Shareprices.com Yes https://shareprices.com/trading/
Share Scope Yes https://www.sharescope.co.uk/
Stock Trade No http://www.stocktrade.co.uk/
Sure Trader Yes https://www.suretrader.com/
SVS XO Yes https://svsxo.com/
The share centre Yes https://www.share.com/share-account/
Westpac Yes https://www.westpac.com.au/personal-banking/investments/share-trading/
UAEXChange No http://www.uaeexchange-etrade.com/
UK Trading View Yes https://uk.tradingview.com/
Virgin Money Yes https://uk.virginmoney.com/virgin/isa/stocks-and-shares/#
Which Way To Pay No http://www.whichwaytopay.com/compare-share-dealing-summary.asp
XM Yes https://www.xm.co.uk/
XO No http://www.x-o.co.uk/
XTB Yes https://www.xtb.com/en
Yorkshire Building Society No http://sharedealing.ybs.co.uk/
You Invest Yes https://www.youinvest.co.uk/dealing-account

Charles Schwab & First Direct

First Direct were the first bank without a bank branch in the UK. That is they’ve always been online only. But their website is not secure by default. It is vulnerable to a man in the middle attack.

Charles Schwab was one of the very first share trading sites aimed at making share trading easy, even for non-experts. As such they’ve been around for a long time. But their website is not secure by default. It is vulnerable to a man in the middle attack.

Just because a business is established, that doesn’t mean you can trust their security.

Fantasy Stock Exchange

Fantasy Stock Exchange is website where children can go to trade pretend stocks and shares. To understand what is happening without any financial risks. It’s an interesting idea. But it’s not secure by default. Anything where children are involved I’d like to think that is secure, we read enough unpleasant stuff about grooming in other environments without their accounts being at risk as well.

Insecure Login

Most of these insecure websites are secure when you try to login, but not secure on the homepage. That makes them vulnerable to a man in the middle attack. However, one stock trading site, Digital Look, is completely insecure, even the login page is not secure, and has a remember me option!


Insecure Browser Extension

Another website was so problematic that we could not visit the website without being forced to install a chrome extension, that was allegedly to improve our security while using their site. The problems with this is are numerous:

  • The extension is downloaded from a non-disclosed location (you can’t see where it’s downloaded from, a website name briefly flashes past that is not destination website).
  • The extension is download from a non-secure location. Thus it could be anything.
  • You can’t verify anything about the extension before installing it in Chrome.
  • Whether you choose to install an extension in order to view a website should be a choice, not mandatory.

We were going to name this company, but when we later tried to reproduce this to get some screenshots of this dangerous chrome extension behaviour could not be repeated. If you see behaviour like this with a website please let us know.

List of UK Insurance companies that are not secure by default

By , December 18, 2017 8:04 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

I thought it would be interesting to look at each bank in the UK to see if when you visit their company homepage, is that secure by default? That is, is the page loaded by HTTPS? There are more tests than this that you could do, but that’s the baseline. If they can’t meet that then the other tests are meaningless.

Some banks provide the website in both http and https versions. This is bad practice. If someone visits the website as http then the customer should be served the https version of the page.

Also please note, these test results are for a desktop computer visiting the website. A mobile phone may well get a different experience. In other words desktop visitors may get a secure site, but mobile visitors might not. Or vice versa.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Dual The site can be loaded via http, or via https.
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 23 insurance companies. We found 7 insurance companies that did not have a secure home page (not https or did have https with an invalid security certificate). That is 30% of UK insurance companies have security vulnerabilities.

Insurance Company Secure Home Page
AEGON UK Yes https://www.aegon.co.uk/index.html
AXA Yes https://www.axa.co.uk/home.aspx
Allianz SE Yes https://www.allianz.com/en/
Aviva Yes https://www.aviva.co.uk/
Direct Line Insurance Yes https://www.directline.com/
FM Global Yes https://www.fmglobal.com/
Hiscox Yes https://www.hiscox.co.uk/
Legal & General Yes https://www.legalandgeneral.com/insurance/
NFU Mutual Yes https://www.nfumutual.co.uk/
Old Mutual No http://www.oldmutualplc.com/
Phoenix No http://www.phoenixlife.co.uk/
Prudential No http://www.prudential.co.uk/
QBE Insurance Yes https://www.group.qbe.com/
Royal London Asset Management Yes https://www.rlam.co.uk/
Royal London Group Yes https://www.royallondon.com/
RSA Insurance Group Yes https://www.rsagroup.com/
Standard Life Yes https://www.standardlife.com/dotcom/index.page
Southern Rock Insurance No http://www.sricl.com/
XL Group No http://xlgroup.com/
Zurich Insurance Yes https://www.zurich.co.uk/

List of UK pension funds that are not secure by default

By , December 18, 2017 4:01 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

I thought it would be interesting to look at each bank in the UK to see if when you visit their company homepage, is that secure by default? That is, is the page loaded by HTTPS? There are more tests than this that you could do, but that’s the baseline. If they can’t meet that then the other tests are meaningless.

Some banks provide the website in both http and https versions. This is bad practice. If someone visits the website as http then the customer should be served the https version of the page.

Also please note, these test results are for a desktop computer visiting the website. A mobile phone may well get a different experience. In other words desktop visitors may get a secure site, but mobile visitors might not. Or vice versa.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Dual The site can be loaded via http, or via https.
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 28 pension funds. We found 8 pension funds that did not have a secure home page (not https or did have https with an invalid security certificate). That is 29% of UK pension funds have security vulnerabilities.

Pension Fund Secure Home Page
Aviva Staff Pension Scheme No http://www.avivastaffpensions.co.uk/retired/default.aspx
BAE Systems Pension Scheme Yes https://www.baesystemspensions.com/
Barclays Bank UK Retirement Fund Yes https://epa.towerswatson.com/accounts/barclays/
BBC Pension Trust Ltd No http://www.bbc.co.uk/mypension/join
BP Pension Fund Yes https://pensionline.bp.com/Homepage
British Airways Pension Scheme Yes https://www.mybapension.com/
British Coal Staff Superannuation Scheme Yes https://www.bcsss-pension.org.uk/
British Steel Pension Scheme Yes https://www.bspensions.com/
BT Pension Scheme Yes https://www.btpensions.net/
Co-operative Group Pension Scheme (Pace) Yes https://pensions.coop.co.uk/
Electricity Supply Pension Scheme Yes https://megtpensions.com/contact-us/
Greater Manchester Pension Fund Yes https://www.gmpf.org.uk/
HBOS Final Salary Pension Scheme Yes https://www.lloydsbankinggrouppensions.com/
HSBC Bank UK Pension Scheme No http://www.futurefocus.staff.hsbc.co.uk/
ICI Pension Fund No http://www.icipensionfund.org.uk/
Lloyds TSB Group Pension Scheme Yes https://www.lloydsbankinggrouppensions.com/
Mineworkers Pension Scheme Yes https://www.mps-pension.org.uk/
National Grid UK Pension Scheme Yes https://www.nationalgridpensions.com/362/1320/welcome-to-the-national-grid-uk-pension-scheme-website
Railways Pension Scheme Yes https://www.railwayspensions.co.uk/
RBS Group Pension Fund Yes https://rbs.tbs.aon.com/
RBS Group Pensioner’s Association No http://rbsgpa.org.uk/
Rolls-Royce Pension Fund Yes https://www.rolls-roycepensions.com/Homepage
Royal Mail Pension Plan Yes https://www.royalmailpensionplan.co.uk/
Shell Contributory Pension Fund No http://pensions.shell.co.uk/scpf.html
Strathclyde Pension Fund Yes https://www.spfo.org.uk/
Universities Superannuation Scheme Yes https://www.uss.co.uk/
West Midlands Pension Fund No http://www.wmpfonline.com/
West Yorkshire Pension Scheme No http://www.wypf.org.uk/

Commentary

It is surprising to see the pension funds of some banks are insecure, even though the banking website for it’s customers are secure.

While I find it very worrying that some banks and wealth managers etc are not secure, people whose funds are in a pension, that is often their only form of income, thus if access to the pension fund become compromised for a particular person, that could be all their future income being erased. This is not a pleasing prospect. As with banks, wealth managers, etc, these pension funds should manage their security with greater care and diligence.

List of UK healthcare companies that are not secure by default

By , December 15, 2017 3:53 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Dual The site can be loaded via http, or via https.
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 24 healthcare companies. We found 2 healthcare companies that did not have a secure home page (not https or did have https with an invalid security certificate). That is 8% of UK healthcare companies have security vulnerabilities.

Healthcare company Secure Home Page
Aviva Healthcare Yes https://www.aviva.co.uk/
AXA PPP Yes https://www.axappphealthcare.co.uk/
Benenden Healthcare Society Yes https://www.benenden.co.uk/
Birmingham Hospital Saturday Fund Yes https://www.bhsf.co.uk/
Bupa Yes https://www.bupa.co.uk/
CS Healthcare Yes https://www.cshealthcare.co.uk/
Engage Mutual Assurance Yes https://www.onefamily.com/
Exeter Family Friendly Yes https://www.the-exeter.com/
General & Medical Healthcare Yes https://www.generalandmedical.com/
Health-on-Line Yes https://www.health-on-line.co.uk/
Healthshield Yes https://www.healthshield.co.uk/
HSF Yes https://www.hsf.co.uk
Insurety No http://www.april-uk.com
Medicash Yes https://www.medicash.org
National Friendly Yes https://nationalfriendly.co.uk/
Saga Dual http://www.saga.co.uk
Secure Health Yes https://www.securehealth.co.uk/
Sovereign Health Yes https://www.sovereignhealthcare.co.uk/
Simply Health Yes https://www.simplyhealth.co.uk/
Vitality Yes https://www.vitality.co.uk/
Westfield Yes https://www.westfieldhealth.com/
WHA Yes https://www.whahealthcare.co.uk/
WHCA Yes https://www.orchardhealthcare.co.uk/
WPA Yes https://www.wpa.org.uk/

Commentary

Saga’s website is avialable via http and via https. This should be https only.

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

List of ecommerce platforms that are not secure by default

By , December 15, 2017 3:33 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Dual The site can be loaded via http, or via https.
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 63 ecommerce companies. We found 9 ecommerce companies that did not have a secure home page (not https or did have https with
an invalid security certificate). That is 14% of ecommerce companies have security vulnerabilities.

Ecommerce company Secure Home Page
2C2P Yes https://www.2c2p.com/
Adyen Yes https://www.adyen.com/
Alipay Yes https://intl.alipay.com/
Amazon Pay Yes https://pay.amazon.com/uk
Apple Pay Yes https://www.apple.com/uk/apple-pay/
Atos Yes https://atos.net/en-gb/united-kingdom
Authorize.Net Yes https://www.authorize.net/
Bambora Yes https://www.bambora.com/sv/overview/#market-select
BitPay Yes https://bitpay.com/
BPAY Yes https://www.bpay.co.uk/
Braintree Yes https://www.braintreepayments.com/en-gb
CM Telecom Yes https://www.cm.com/
Creditcall Yes https://www.creditcall.com/
CyberSource Yes https://www.cybersource.com/en-EMEA/
DigiCash Yes https://www.digi.cash/
Digital River Yes https://www.digitalriver.com/
Dwolla Yes https://www.dwolla.com/
Elavon Yes https://www.elavon.co.uk/index.html
Euronet Worldwide No http://www.euronetworldwide.com/
eWAY Yes https://eway.io/uk
First Data Yes https://www.firstdata.com/en_gb/home.html
Flooz Yes https://www.flooz.me/
Fortumo Online Yes https://fortumo.com/
GoCardless Yes https://gocardless.com/
Heartland Payment Systems Yes https://www.heartlandpaymentsystems.com/about-us
Ingenico Yes https://www.ingenico.com/
Klarna Yes https://www.klarna.com/uk/
ModusLink Yes https://www.moduslink.com/
MPay No http://www.mpay.al/en
Neteller Yes https://www.neteller.com/en/
Nochex Yes https://www.nochex.com/gb/
OFX Yes https://www.ofx.com/en-gb/
PagSeguro Yes https://pagseguro.uol.com.br/
PayPal Yes https://www.paypal.com/uk/home
Payoneer Yes https://www.payoneer.com/main/
Paymentwall Yes https://www.paymentwall.com/en/
PayPoint Yes https://www.paypoint.com/en-gb/consumers/store-locator
Paysbuy Yes https://www.paysbuy.com/
Paysafe Group Yes https://www.paysafe.com/
PayStand No http://www.paystand.com/
Payzone Yes https://www.payzone.co.uk/
Qiwi Yes https://qiwi.com/
Realex Payments Yes https://www.realexpayments.com/uk/
Red Dot Payment No http://reddotpayment.com/
Sage Group Yes https://www.sage.com/en-gb/
Skrill Yes https://www.skrill.com/en/
Stripe Yes https://stripe.com/gb
Square Yes https://squareup.com/gb
SWREG Dual http://faq.swreg.org/
Tencent Yes https://www.tencent.com/en-us/
TIMWE No http://www.timwe.com/
TransferWise Yes https://transferwise.com/
True Money No http://www.truemoney.com/
Trustly Online Yes https://trustly.com/en/
Verifone No http://www.verifone.co.uk/
WebMoney Yes https://www.wmtransfer.com/
WeChat Pay Yes https://pay.weixin.qq.com/index.php/public/wechatpay
WePay Yes https://go.wepay.com/
Wirecard Yes https://www.wirecard.com/
Worldpay No http://www.worldpay.com
Xendpay Yes https://www.xendpay.com/
Xsolla Yes https://www.xsolla.com/
Yandex.Money Yes https://money.yandex.ru/

Commentary

I was surprised to see that WorldWay is not secure by default.

I was also surprised to see that SWREG, the oldest of all the ecommerce companies in the world, is also not secure by default. Longevity has no bearings on the operating standards of a business. Interestingly the company that now owns SWREG, Digital River is secure by default.

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

List of UK online casinos that are not secure by default

By , December 15, 2017 1:30 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Invalid The site loads via https, but the security certificate is invalid and thus the site is
insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is
insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via
http.
?? We could not find a website to evaluate.

We tested 75 online casinos. We found 12 online casinos that did not have a secure home page (not https or did have https with an invalid security certificate). That is 16% of UK online casinos have security vulnerabilities.

Casino Secure Home Page
21Jackpots No http://21jackpots.com/
32Red Casino Yes https://www.32red.com/
50 Stars Casino No http://www.50starscasino.com/english/eur/download.html
888Casino Yes https://www.888casino.com/
All British Casino Yes https://www.allbritishcasino.com/
All Irish Casino Yes https://www.allirishcasino.com/
BETAT Casino Yes https://betat.co.uk/home/
Betfred Casino No http://www.betfred.com/casino
Betsafe Casino Yes https://www.betsafe.com/en/casino
Betspin Casino Yes https://www.betspin.com/gb
Betway Casino Yes https://casino.betway.com/lobby/en/#/home
Bet-At-Home Casino Yes https://uk.bet-at-home.com/
bgo Vegas Yes https://www.bgo.com/
Cashmio Casino Yes https://www.cashmio.com/en
CasinoLuck Yes https://www.casinoluck.com/
Casino Kings Yes https://www.casinokings.com/
Casino Magix Yes https://www.casinomagix.com/
Casumo Casino Yes https://www.casumo.com/en-gb/
ComeOn Casino Yes https://www.comeon.com/
Carnival Casino No http://www.carnivalcasino.com/
Casino Cruise Yes https://www.casinocruise.com/en-gb
Casino King Yes https://www.casinokings.com/
Casino Plex No http://casinoplex.co.uk/
Casino Share No http://www.luxurycasino.co.uk/en-gb/
Casino Splendido Yes https://www.casinosplendido.com/
Casino.com Yes https://www.casino.com/uk/
Challenge Casino No http://www.luxurycasino.co.uk/en-gb/
Conquer Casino Yes https://www.conquercasino.com/
Cyber Club Casino Yes https://www.cyberclubcasino.com/
Dash Casino Yes https://www.dashcasino.com/
Dr Vegas Casino Yes https://www.drvegas.com/
Dream Palace Casino Yes https://www.dreampalacecasino.com/
EnergyCasino Yes https://energycasino.com/en/
FruityCasa Casino Yes https://www.fruitycasa.com/
Gala Casino Yes https://www.galacasino.com/
GameVillage Yes https://www.gamevillage.com/
Golden Lounge Casino No http://www.goldenlounge.com/
Grosvenor Casino Yes https://www.grosvenorcasinos.com/
Guts Casino Yes https://www.guts.com/gb/page/welcome
Intercasino Yes https://www.intercasino.co.uk/
Jackpot Luck Casino Yes https://www.jackpotluck.com/
Jetbull Casino Yes https://www.jetbull.com/
Karamba Casino Yes https://www.karamba.com/
Ladbrokes Casino No http://casino.ladbrokes.com/en
Magic Box Casino No http://www.magicboxcasino.com/
Mansion Casino Yes https://play.mansioncasino.com/
Maria Casino Yes https://www.mariacasino.co.uk/
mFortune Casino Yes https://www.mfortune.co.uk/
MobileWins Casino Yes https://www.mobilewins.co.uk/
Monte Carlo Casino No http://www.casinomontecarlo.com/
Moon Games Casino Yes https://www.moongames.com/
Mr Green Casino Yes https://www.mrgreen.com/en
Nedplay Casino Yes https://www.nedplay.com/
Noxwin Casino Yes https://www.noxwin.com/#/
Oddsring Casino Yes https://www.oddsring.com/home
Paddy Power Casino No http://casino.paddypower.com/
PokerStars Casino Yes https://www.pokerstarscasino.uk/
Power Slots Yes https://www.powerslots.eu/
Prospect Hall Casino Yes https://prospecthallcasino.com/games/index/
Spinit Casino Yes https://www.spinit.com/en
Redbet Casino Yes https://www.redbet.com/en/casino
Red Queen Casino Yes https://www.redqueencasino.com/
Rizk Casino Yes https://rizk.com/gb
Roxy Palace Casino Yes https://www.roxypalace.com/
Royal Swipe Casino Yes https://www.royalswipe.com/
SCasino Yes https://www.scasino.com/uk/
Sportingbet Casino Yes https://casino.sportingbet.com/en/casino
ShadowBet Casino Yes https://www.shadowbet.com/uk
Slotty Vegas Casino Yes https://slottyvegas.com/en/welcome/
Sporting Index Casino Yes https://casino.sportingindex.com/
Trada Casino Yes https://www.tradacasino.com/
Unibet Casino Yes https://www.unibet.co.uk/casino#filter:uk-unibet-picks-casino-slots-7-420439
Vegas Paradise Casino Yes https://www.vegasparadise.com/
VideoSlots Casino Yes https://www.videoslots.com/
William Hill Casino Yes https://casino.williamhill.com/#!/

Commentary

Reputation

Just as with wealth management, there are some big names in this list, that spend lots of money on advertising, and yet they are not secure. You cannot rely on a trusted brand name to mean that you get a secure website.

Downloading from a non secure site

One site in particular deserves a special mention. 50 Stars Casino. This is not secure, but for you to gamble with them you need to download a software package from their non-secure website and then install the software. I did download it. The download is digitally signed, but given that it’s downloading off a non-secure page, the download could, technically be anything, not necessarily the software the casino wants you to download. This is not good. Not only is the website not secure, but it could potentially attack your computer if the download is compromised.

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

List of UK currency exchanges that are not secure by default

By , December 15, 2017 12:42 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with

data on another type of institution.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Invalid The site loads via https, but the security certificate is invalid and thus the site is
insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is
insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via
http.
?? We could not find a website to evaluate.

We tested 67 currency exchanges. We found 11 currency exchanges that did not have a secure home page (not https or did have https with an invalid security certificate). That is 16% of UK currency exchanges have security vulnerabilities

Currency Exchange Secure Home Page
#1 Currency Yes https://www.no1currency.com/
Ace-FX Yes https://www.ace-fx.com/
American Express Yes https://www.americanexpress.com/uk/content/foreign-exchange/foreign-exchange-services.html
Asda Travel Money Yes https://money.asda.com/travel-money/
Barclays Bureau de change Yes https://www.barclays.co.uk/travel/foreign-currency-exchange/
Barrhead Travel Yes https://www.barrheadtravel.co.uk/foreign-exchange
Best Exchange No http://www.bestexchange.co.uk/
Best Foreign Exchange Yes https://www.bestforeignexchange.com/
BFC Exchange Yes https://www.bfcexchange.co.uk/
Central FX No http://www.centralfx.co.uk/
City Forex Yes https://www.cityforex.co.uk/
Change Group Yes https://www.changegroup.co.uk/
Compare Holiday Money Yes https://www.compareholidaymoney.com/
Covent Garden FX Yes https://www.coventgardenfx.com/
Currencies for you Yes https://www.currencies4you.com/
Currency converter Yes https://www.currencyconverter.co.uk/
Currency matters Yes http://www.currencymatters.co.uk/
Currency solutions Yes https://www.currencysolutions.co.uk/
Currency UK Yes https://www.currencyuk.co.uk/
Euro Change Yes https://www.eurochange.co.uk/
Danske Bank Yes https://danskebank.co.uk/personal/help/currency-converter/currency-converter
Debenhams No http://finance.debenhams.com/travel-money/
Elavon Yes https://www.elavon.co.uk/dcc.html
Exchange Rates Yes https://www.exchangerates.org.uk/
First Choice Yes https://www.firstchoice.co.uk/holiday/info/foreign-exchange
First Rate Yes https://www.firstrate.co.uk/
Fourex No http://www.fourex.co.uk/
Global Exchange Yes https://www.globalexchange.co.uk/
GCEN Yes https://gcen.co.uk/
Money Yes https://www.money.co.uk/travel-money.htm
H & T Group Yes https://www.handt.co.uk/travel-money
Halifax Travel Money Yes https://www.halifax.co.uk/travel/travel-money/
Hargreaves Lansdowne No http://www.hl.co.uk/investment-services/currency-service/latest-currency-report/currency-converter-exchange-rates
HiFX Yes https://www.hifx.co.uk
HSBC Expat Yes https://www.expat.hsbc.com/1/2/hsbc-expat/foreign-exchange-currency
HSBC Travel Money Yes https://www.hsbc.co.uk/1/2/travel-money
ICICI Bank No http://www.icicibank.co.uk/personal/travel-money.page
Internation Currency Exchange Yes https://www.iceplc.com/
Kanoo Foreign Exchange Yes http://www.kanoocurrency.co.uk/
KBR Foreign Exchange Yes https://www.kbrfx.com/
M & S Currency Exchange Yes https://bank.marksandspencer.com/travel/travel-money/currency-exchange-rates/
Money Corp Yes https://www.moneycorp.com/uk/
Money Saving Expert Yes https://travelmoney.moneysavingexpert.com/
Natwest International No http://www.natwestinternational.com/nw/personal-banking/travel-and-international/g48/travel-money/currency-converter.ashx
Northwest Money Exchange No http://www.northwestmoneyexchange.com/
Post Office Money Yes https://www.postoffice.co.uk/foreign-currency
RBS Yes https://www.rbs.co.uk/personal/travel/g1/money/exchange-rates.ashx
Reuters Yes https://uk.reuters.com/business/currencies
Ruislip Currency No http://www.ruislipcurrency.co.uk/
Saga Travel Money Yes https://www.saga.co.uk/insurance/travel-money.aspx
Sainsbury’s Bank Travel Money Yes https://www.sainsburysbank.co.uk/travel/ins_travelmoney_tmo_skip
Santander Travel Money Yes https://www.santander.co.uk/uk/current-accounts/ordering-travel-money
Senil Cash & Go Yes https://www.senli.co.uk/
Smart Currency Business Yes https://www.smartcurrencybusiness.com/
Smart Currency Exchange Yes https://www.smartcurrencyexchange.com/
Sterling Yes https://www.sterlingfx.co.uk/
Tesco Travel Money No http://www.tescobank.com/travel-money/
The Currency Club Yes https://www.thecurrencyclub.co.uk/
The Money Shop Yes https://www.themoneyshop.com/travel-money/
Thomas Cook Yes https://www.thomascook.com/travel-money/foreign-currency/
Thomas Money Exchange Yes https://www.thomasexchangeglobal.co.uk/
TorFX Yes https://www.torfx.com/
Travelex Yes https://www.travelex.co.uk/
WeSwap Yes https://www.weswap.com/en/
World First Yes https://www.worldfirst.com/uk/foreign-exchange/
UAE Exchange Yes https://www.uaeexchange.com/gbr/
XE No http://www.xe.com/

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

List of UK Wealth Management companies that are not secure by default

By , December 15, 2017 12:16 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

This is an updated version of an earlier post. We have added 15 companies since the first version.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 68 wealth management companies. We found 18 wealth management companies that did not have a secure home page (not https or did have https with an invalid security certificate). That is 27% of UK wealth management companies have security vulnerabilities

Wealth Management Company Secure Home Page
Aberdeen Asset Management No http://www.aberdeen-asset.co.uk/
Aberdeen Asset Management Trust Centre No http://www.invtrusts.co.uk/investmenttrusts/
Allianz Global Investors Yes https://uk.allianzgi.com/role-gate-page
Artemis Investment Management LLP Yes https://www.artemisfunds.com/
Baillie Gifford Yes https://www.bailliegifford.com/
Barclays Wealth Yes https://www.barclays.co.uk/wealth-management/
Blackrock Yes https://www.blackrock.com
Brewin Dolphin Yes https://www.brewin.co.uk/
Cantab Asset Management Yes https://www.cantabam.com/
Capital Yes https://www.capital.co.uk/
Capital International Yes https://www.capital-iom.com/
CBRE Global Investors No http://www.cbreglobalinvestors.com/Pages/default.aspx
CCLA Yes https://www.ccla.co.uk/
Charles Stanley Yes https://www.charles-stanley.co.uk/
Citi Yes https://www.citibank.co.uk/personal/wealth-management-products.do
City Asset Management Plc No http://www.city-asset.co.uk/
Clifton asset management Yes https://www.clifton-asset.co.uk/
Close Brothers Asset Management Yes https://www.closebrothersam.com/
EFG Yes https://www.efgam.com/home/Landing-Asset-Management.html
Equester Capital Management Yes https://www.neptunefunds.com
Fidelity Worldwide Investment Yes https://www.fidelity.co.uk/home
Franklin Templeton No http://www.franklintempleton.co.uk/
GAM Yes https://www.gam.com/
Hargreaves Lansdowne No http://www.hl.co.uk/
Hawksmoor investment management No http://www.hawksmoorim.co.uk/
Heartwood investment management No http://www.heartwoodgroup.co.uk/
Henderson Global Investors Yes https://www.janushenderson.com/ukpi
Hermes Investment Management Yes https://www.hermes-investment.com/ukw/
Interactive Investor No http://www.iii.co.uk/funds
Investec Bank Yes https://www.investec.com/en_gb.html
Invesco Perpetual Yes https://www.invescoperpetual.co.uk/uk
Kleinwort Hambros Yes https://www.kleinworthambros.com/en/
Lion Trust No http://www.liontrust.co.uk/
London and Capital Yes https://www.londonandcapital.com/
M&G Securities Ltd No http://www.mandg.co.uk/
Majedie No http://www.majedie.com/
Mattioli Woods Yes https://www.mattioliwoods.com/
Mayfair Capital Yes https://www.mayfaircapital.co.uk/
Money Farm Yes https://www.moneyfarm.com/uk/
Montanaro Yes http://www.montanaro.co.uk/
Morning Star No http://www.morningstar.co.uk/uk/
MunnyPot Yes https://www.munnypot.com/
Newton Investment Management Yes https://www.newtonim.com/
Nova Financial Yes https://www.novia-financial.co.uk/
Nutmeg Yes https://www.nutmeg.com/
Old Mutual Wealth Yes https://www.oldmutualwealth.co.uk/
Prospect Wealth Management Yes https://prospectwealth.co.uk/
Psigma investment maangement No http://www.psigma.com/pages/psigma-investment-management-landing.aspx
Quilter Cheviot Yes https://www.quiltercheviot.com/uk/private-client/
Rathbones Yes https://www.rathbones.com/
Sanlam Life and Pensions UK Limited Yes https://www.sanlam.co.uk/home.aspx
Saranac Partners Yes https://www.saranacpartners.com/
Scalable Capital Yes https://uk.scalable.capital/
St. Jame’s Place Yes https://www.sjp.co.uk/
Standard Life Investments Yes https://www.standardlifeinvestments.com/
State Street Global Advisors Yes https://www.ssga.com/home.html
Schroders No http://www.schroders.com
SVM Asset Management No http://www.svmonline.co.uk/
Swanest Yes https://swanest.com/
T Rowe Price Yes https://www3.troweprice.com/usis/corporate/en/home.html
TAM Yes https://www.tamassetmanagement.com/
Threadneedle Asset Management Yes https://www.mythreadneedle.com/
Tilney Group Yes https://www.tilney.co.uk/
Troy Asset Management No http://www.taml.co.uk/
UBS Global Asset Management Yes https://www.ubs.com/global/en/asset-management.html
Unicorn Asset Management Yes https://www.unicornam.com/
Vanguard Asset Management Yes https://www.vanguardinvestor.co.uk/
Wealth Horizon No http://www.wealthhorizon.com/

Commentary

It is interesting that you cannot trust a name or a brand to be secure. For example, Aberdeen Asset Management is probably the one name that is most known in the UK. They are regularly featured on the early morning BBC Radio 4 Today Programme to provide their expert opinion. Unfortunately, their website is not secure.

A number of these companies have names that sound old and established, or strong and reliable. They are names, just that. The reliability is in their behaviour. A key part in that is “are they secure”?

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

List of UK Building Societies that are secure by default

By , December 15, 2017 11:42 am

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 45 building societies. We found 16 building societies that did not have a secure home page (not https or did have https with an invalid security certificate). That is 36% of UK building societies have security vulnerabilities.

Building Society Secure Home Page
Bath Investment & Building Society Yes https://www.bathbuildingsociety.co.uk/
Beverly Building Society No http://beverleybs.co.uk/
Britannia Savings No http://britannia.co.uk/
Buckinghamshire Building Society No http://www.bucksbs.co.uk/
Cambridge Building Society Yes https://www.cambridgebs.co.uk/
Chorley & District Building Society No http://www.chorleybs.co.uk/
Coventry Building Society Yes https://www.coventrybuildingsociety.co.uk/
Cumberland Building Society Yes https://www.cumberland.co.uk/
Darlington Building Society Yes https://www.darlington.co.uk/
Dudley Building Society Yes https://www.dudleybuildingsociety.co.uk/
Earl Shilton Building Society No http://www.esbs.co.uk/
Ecology Building Society Yes https://www.ecology.co.uk/
Furness Building Society Yes https://www.furnessbs.co.uk/
Hanley Economic Building Society Yes http://www.thehanley.co.uk/
Harpenden Building Society Yes https://www.harpendenbs.co.uk/
Hinckley & Rugby Building Society Yes https://www.hrbs.co.uk/
Holmesdale Building Society Yes https://www.theholmesdale.co.uk/
Ipswich Building Society Yes https://www.ibs.co.uk/
Leeds Building Society No http://www.leedsbuildingsociety.co.uk/
Leek United Building Society Yes https://www.leekunited.co.uk/
Loughborough Buildiong Society Yes https://www.theloughborough.co.uk/
Manchester Building Society Yes https://www.themanchester.co.uk/
Mansfield Building Society Yes https://mansfieldbs.co.uk/
Market Harborough Building Society No http://www.mhbs.co.uk/
Marsden Building Society Yes https://www.themarsden.co.uk/
Melton Mowbray Building Society Yes https://www.themelton.co.uk/
Monmouthshire Building Society Yes http://www.monbs.com/
National Counties Building Society No http://www.ncbs.co.uk/
Newbury Building Society Yes https://www.newbury.co.uk/
Newcastle Building Society Yes https://www.newcastle.co.uk/
Norwich & Peterborough Building Society Yes https://www.nandp.co.uk/
Nottingham Building Society Yes https://www.thenottingham.com/
Penrith Building Society Yes https://www.penrithbuildingsociety.co.uk/
Principality Building Society No http://www.principality.co.uk/
Progressive Building Society No http://theprogressive.com/
Scottish Building Society Yes https://www.scottishbs.co.uk/
Saffron Building Society Yes https://www.saffronbs.co.uk/
Skipton Building Society No http://www.skipton.co.uk/
Stafford Railway Building Society Yes https://srbs.co.uk/
Swansea Building Society No http://www.swansea-bs.co.uk/
Teachers Building Society Yes https://www.teachersbs.co.uk/
Tipton & Coseley Building Society Yes https://www.thetipton.co.uk/
West Bromwich Building Society No http://www.westbrom.co.uk/
Yorkshire Building Society Yes https://www.ybs.co.uk/index.html

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Panorama Theme by Themocracy