I have been using the online SSL Server Test for some time and I find it the best tool for assessing the health of a site's SSL configuration. I just tried it on https://online.citi.com , online.citi.com, and citi.com, and I got the message
for the last two and got redirected to Sign On- Citibank for the first one. I find this most disturbing since we are talking about a major mega-bank whose online servers we have to trust, and who is blocking us from getting an assessment of how secure their servers are. And you are redirecting us to their servers in the first case. Why would you do that?
Using ssllabs-scan, I got
Assessment failed: https://online.citi.com (Hostname blacklisted)
Using other tools I did find:
- Medium grade encryption
- Triple DES Ciphers
- Secure Client-Initiated Renegotiation
that all raised 'red flags', so I assume this would downgrade their score on your test.
I have found other banks' sites that had less than A+ ratings and I think that is despicable for a bank.