Web Technologies Used in the Commercial Banks in Finland

Abstract

The publication presents the results of empirical research on web technologies used in the home pages of the Finland commercial banks authorized under Finland Legislation to carry on commercial banking business and supervised by the Finland Financial Supervisory Authority (FIN-FSA). The home pages of 9 commercial banks were studied. Our survey reveals details about the proportion of the web technologies used in the respective web sites. The mean home page size is around 2.5 MB (±3.7 SD, median - 1.3) and the share of the images is around 41%. The share of the other web components is as follows: JavaScript programs - around 35%, CSS files - 10%, Font files - 7%. The size of the main HTML file is only 7% of the size of whole web page. The mean total number of requests that the web browser makes in order to display the home page is around 64 separate requests - 23 requests for images, 19 for JavaScript, 7 for CSS files, 6 for Font files. Only one of the surveyed web sites is using HTTP/2. The rest are using as minimum HTTP 1.1. Near 56% of the sites are using Symantec SSL certificates and again near 56% are using 2 years long certificates.

Publication
P. Petrov, S. Krumovich, G. Dimitrov, N. Nikolov and V. Sulov. Web Technologies Used in the Commercial Banks in Finland. Proceedings of the 19th International Conference on Computer Systems and Technologies (CompSysTech’18), ACM, NY, USA, pp.94-98. DOI: https://doi.org/10.1145/3274005.3274018

Keywords: Finland commercial banks, web technologies, home page, web site, SSL certificate


1. INTRODUCTION

As Internet plays a major role in our life, banks’ websites are been frequently selected from potential and existing clients to obtain financial information for their needs. A bank’s website plays a role of an extension and augmentation of a traditional physical bank office and offers a variety of financial services. The home page is the entry point to the bank’s web site, which provides useful information about various financial services. Most of the impressions for the bank the the web site visitor gain from its main page and various types of criteria could be used in order to evaluate the quality - content quality, design quality, organization quality, and user-friendly quality [1, 2]. In our opinion, quality could be measured by the perceptions of many ordinary users or few experts, but it could also be measured by direct quantitative measures, which represent the proportion of web components that make up the main page.

The purpose of this publication is to summarize the information gathered in the course of research about web technologies used in the home pages of the Finland commercial banks in November 2017. The list of commercial banks authorized to operate in Finland is taken from the “Supervised entities” [3] of the Finland Financial Supervisory Authority (FIN-FSA) website. The list contains 948 supervised entitles undertakings operations in the domestic financial market, but we select only domestic ones commercial banks (see Table 1). Table 1 does not include foreign credit institutions’ branches in Finland from EEA countries and also: savings banks, limited-liability savings banks, mortgage banks, member cooperative banks (http://www.osuuspankki.fi/), local cooperative banks (http://www.poppankki.fi/) and other financial institutions. Table 1 lists only commercial banks under supervision of FIN-FSA. It’s should be noted that meanwhile “Danske Bank Plc” became a branch of its Danish parent company - “Danske Bank A/S” at the end of the year 2017. Therefore, it is no longer in the list, but during our research, it was still under supervision of FIN-FSA and was considered by us as domestic commercial bank.

Table 1: Commercial banks supervised by the Finland Financial Supervisory Authority (FIN-FSA) [3].

Commercial bank URL of the home page
1 Aktia Bank p.l.c. http://www.aktia.fi
2 Bank of Åland Plc http://www.alandsbanken.fi
3 Bonum Bank Plc. http://www.bonumpankki.fi
4 Central Bank of Savings Banks Finland Plc http://www.spkeskuspankki.fi
5 Danske Bank Plc http://www.danskebank.fi
6 Evli Bank Plc http://www.evli.com
7 OP Corporate Bank plc http://www.pohjola.fi
8 S-Bank Ltd https://www.s-pankki.fi
9 Suomen Asuntohypopankki Oy http://www.hypo.fi


2. EXPERIMENTAL AND COMPUTATIONAL DETAILS

In our study home pages of 9 commercial banks were inspected during the month of October 2017. The main method used in the survey includes analyses of the response given by the web servers. Although these home web pages are intended for the same audience, their structure and contents vary broadly. Google Chrome ver.59 was used as a web client with “Developer tools” module activated. It should be noted that this module has not been developed specifically for similar studies, but it is a very useful tool in such cases. The process of inspection is done manually by expert estimation. Other approaches to do the same research includes using command line tools as cURL or Wget [4], but using real web browser is more straightforward.

During the study, we specially looked for the quantity of components of different types, which build a whole web page. As it is well known, in the response of the first request, a HTML file is loaded. Then, depending on the content, many sub sequential requests are made. These requests load various components - images, JavaScript programs, style sheets, fonts etc. The purpose of these web components is to improve the appearance of a web page. It should be expected that if the web page size is larger and the number of components is higher, the web page would be more interactive and visually appealing. On the other hand, the web page should be loaded as faster as possible, because the slow load time has a negative impact on the user experience [5]. That is why one of the goals of the web designers is to optimize the size of the web pages and the number of their components. In this study we used a typical desktop PC - Windows 10 Pro edition, x64; with Chrome browser. We did not test opening the respective home pages on other devices.

The summarized results of the studied home pages are presented in eight tables (Table 2 - 8) based on the following key indicators: number of requests sent and the size of the whole page and broken down by components; Maximum supported HTTP version, Server type and Keep-Alive parameter; and the content of various security related fields in the HTTP response, the issuer and validity length of the SSL certificate.


3. RESULTS AND DISCUSSION

The numbers in the first column of the next tables corresponds to the numbers in the first column on Table 1.

The total number of requests that web browser made to display the home page at arithmetic mean is around 64 separate requests and varies between 18 requests to 166 requests (see Table 2). The median is close to the mean - 62 requests, so we could accept that this is the central tendency or the average case (see Table 3). The mean numbers of requests for the other type files are as follows: 23 requests for images, 19 for JavaScript, 7 for CSS files, 6 for Font files (the proportions are shown in Fig. 1).

Table 2: Total number of requests sent in order the main page to be shown and the share of individual components broken down by types.

Total number of requests Main HTML file [%] CSS files [%] Font files [%] Image files [%] JS files [%] AJAX traffic [%]
1 83 1 13 1 20 42 10
2 63 2 10 11 32 22 3
3 18 6 17 22 33 22 0
4 44 2 14 0 66 14 0
5 45 2 7 9 47 29 2
6 62 2 6 5 24 53 0
7 31 3 10 0 74 10 3
8 67 1 7 4 36 21 21
9 166 1 13 10 34 28 4

(The numbers in the second column “Total number of requests” are in absolute values. The numbers in the following right columns are in relative values and are represented as percentage of the total. The sum of the percentages is not 100 because the other traffic is not included in the table.)

Table 3: Averages of number of requests from Table 2.

Range Mean ±SD Median (IQR)
Total number of requests 18-166 64 ±40 62 (44-67)
Main HTML file, [%] 1-6 2 ±1 2 (1-2)
CSS files, [%] 6-17 10 ±4 10 (7-13)
Font files, [%] 0-22 7 ±7 5 (1-10)
Image files, [%] 20-74 41 ±17 34 (32-47)
JS files, [%] 10-53 27 ±13 22 (21-29)
AJAX traffic, [%] 0-21 5 ±6 3 (0-4)

Figure 1: Proportion of number of requests (based on arithmetic mean) in order the average Finland commercial bank home page to be fully loaded and displayed.

The data in Table 4 and Table 5 shows that the mean home page size is around 2.5MB and varies between 32KB to 13MB. Obviously, there is one outlier (№9 - Suomen Asuntohypopankki Oy) who distorts the meaning of the arithmetic mean and the median prove this - 1.3MB is more closer to the central tendency.

Table 4: Total size of the main web page and the share of individual web components broken down by types.

Total size,[MB] Main HTML file [%] CSS files [%] Font files [%] Image files [%] JS files [%] AJAX traffic [%]
1 1.33 14 8 3 35 40 0
2 2.29 4 5 14 48 28 0
3 0.39 2 34 15 30 19 0
4 0.32 15 13 0 28 44 0
5 1.59 8 4 12 53 23 0
6 1.34 3 2 3 49 41 0
7 0.65 3 15 0 23 60 0
8 1.43 9 6 13 17 54 2
9 12.91 4 1 2 84 9 0

Table 5: Averages of web component sizes from Table 4.

Range Mean ±SD Median (IQR)
Total size, [MB] 0.32-12.91 2.5 ±3.7 1.3 (0.65-1.59)
Main HTML file, [%] 2-15 7 ±5 4 (3-9)
CSS files, [%] 1-34 10 ±10 6 (4-13)
Font files, [%] 0-15 7 ±6 3 (2-13)
Image files, [%] 17-84 41 ±19 35 (28-49)
JS files, [%] 9-60 35 ±16 40 (23-44)
AJAX traffic, [%] 0-2 0 ±1 0 (0-0)

Figure 2: Proportion of the data volumes transferred in order the average Finland commercial bank home page to be fully loaded and displayed.

The share of the main HTML file is around 7% and varies from 0.4% to 10%. The share of the images is around 50% and varies from 2% to 15%. The share of the JavaScript programs is around 35% and varies from 9% to 60%. The share of the CSS files is around 10% and varies from 1% to 34%. The share of the Font files is around 7% and varies from 0% to 15%. Some of the Java Script programs made additional AJAX requests when the page is loaded, but the share of the transferred data is negligible. Fig.2 presents the proportion of the data volumes transferred in order for the average Finland commercial bank home page to be fully loaded and displayed.

The data in Table 6 shows, that only one of the surveyed web sites are using the latest protocol HTTP/2. The others are using HTTP 1.1 and eventually older versions as well (HTTP 1.0 and HTTP 0.9). The web server setting for the Keep-Alive parameter is used by only two web sites and both are set to 5 seconds timeout for the opened network connection with maximum of 100 served requests. The rest are not providing such kind of information at all.

Table 6: Maximum supported HTTP version, Server type and Keep-Alive parameter.

Maximum supported HTTP version Server Keep-Alive, Timeout Keep-Alive, Maximum served files
1 1.1 BigIP - -
2 1.1 - - -
3 1.1 Apache/2.2.3 (CentOS); X-Powered-By: PHP/5.1.6 - -
4 2 BigIP; Microsoft-IIS/8.5 - -
5 1.1 - - -
6 1.1 Apache/2.4.7 (Ubuntu); Apache-Coyote/1.1 5 100
7 1.1 X-Powered-By: Servlet/2.5 JSP/2.1 - -
8 1.1 Microsoft-IIS/8.5 - -
9 1.1 Apache/2.4.10 (Debian) PHP/5.6.30-0+deb8u1 OpenSSL/1.0.1t 5 100

One of the web servers is rather old and many security vulnerabilities was reported and fixed meanwhile. Among the most important vulnerabilities are: “Apache HTTP Request Parsing Whitespace Defects”, “mod_mime Buffer Overread”, “ap_find_token() Buffer Overread”, “mod_ssl Null Pointer Dereference”, “ap_get_basic_auth_pw() Authentication Bypass” and “Uninitialized memory reflection in mod_auth_digest” [6]. Of course the main duty of the bank’s system administrators are regularly to patch the various systems, but it will be better to upgrade to version 2.4 instead of patching. It should be noted that the information that the web server provides about itself could be not real. The system administrator could put different settings in the configuration files in order to make false impression about the used software, version, installed modules or plugins and so on. This practice is not common but could be used in some cases, so the provided data in Table 6 about the used web server software should not be accepted unreservedly.

The data in Table 7 shows, that many websites use security related fields in the HTTP response. The presence of “Strict-Transport-Security” field on a supported browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS [7, 8]. The “X-Frame-Options” field in the response header provides protection against the so-called “Clickjack attack”. The parameter “SAMEORIGIN” instructs the browser to render the web page in a <frame>… <iframe> tags only if the domain of the two pages is the same. The parameter “DENY” instructs the browser that the page cannot be displayed in a frame, regardless of the web site which attempting to do so [9, 10]. The “X-XSS-Protection” provides protection against the so-called “Cross-Site Scripting Attack” [11, 12]. The parameter “1; mode=block” instructs the browser to block rendering of the web page if such type of attack is detected.

Table 7: The content of various security related fields in the HTTP response, the issuer and validity length of the SSL certificate.

Strict-Transport-Security X-Frame-Options X-XSS-Protection
1 - - 1; mode=block
2 - SAMEORIGIN 1; mode=block
3 - - -
4 max-age=31536000; includeSubDomains; preload SAMEORIGIN 1;mode=block
5 max-age=157680000 DENY -
6 max-age=157680000; includeSubDomains - -
7 max-age=14400 DENY -
8 max-age=63072000 - 1; mode=block
9 - - -

The data in Table 8 shows that near 56% of the web sites are using 1 or 2 years-long Symantec SSL certificate. One of them is not using HTTPS at all.

Table 8: The issuer and validity length of the SSL certificate.

SSL Certificate Issuer Years
1 Symantec Class 3 EV SSL CA - G3 1
2 DigiCert SHA2 High Assurance Server CA 2
3 - (no HTTPS support) -
4 Symantec Class 3 Secure Server CA - G4 1
5 GlobalSign Extended Validation CA - SHA256 - G3 2
6 Symantec Class 3 EV SSL CA - G3 2
7 Symantec Class 3 EV SSL CA - G3 1
8 Symantec Class 3 EV SSL CA - G3 2
9 DigiCert SHA2 Extended Validation Server CA 2


CONCLUSIONS

The size of the home pages and the share of different groups of web components all together with the number of requests in order to retrieve them in our opinion is a very important parameter to measure. As it is well known, if all other factors are equal, the bigger a web page is, the longer it takes for all the required resources to be loaded and for the web page to be displayed. Since the home page is one of the most viewed pages of the web site, it plays a very important role. The images are responsible for the major part of an average home page size.

JavaScript is used on the home pages mainly for animations, for gathering analytics information and for playing video. In one of the cases the video is played by the user demand, in other cases the video are started automatically when the user scroll down the page and the video frame become all-visible. It is unusual on home pages to be situated some kind of web forms. Usually web forms are placed in other inner pages of the web sites and in this case, the JavaScript is used to check the entered data before they are sent to the server side.

Our study found that most of the web sites are using custom fonts. More frequently are used 3-4 fonts but in some cases (http://www.hypo.fi) the number of fonts is extremely large - 17. The large number of font files typically raises the traffic with 200-300 KB and brings the question: “Why embedded in the operating systems fonts are not good for web pages?”. In order custom fonts to be loaded there are three most popular options: self-hosted fonts, using Google Fonts (https://fonts.google.com/) and using Adobe Typekit (https://typekit.com/fonts) services. The last two services have free and paid plans for usage.

Reducing the size can be achieved by removing unnecessary scripts or frameworks, using a built in the OS font (also known as “web-safe” fonts). These optimizations procedures can improve home page loading speed.

The results of our study could be used as a guide for good and bad practices, because highly qualified personnel is employed in the credit institutions and usually the decisions are based on the best known practices in order to minimize risks and at the same time to attract customers. In these institutions there is no lack of funding, so money is not a problem and there are opportunities to use any (including expensive) software. We believe that the web server is more than a key component of the banks IT infrastructure. It has become an integral part of every aspect of banks’ online business, so security and performance cannot be sacrificed for any reason.


ACKNOWLEDGMENT

This work was partially supported by the NPI 92017 Project from University of Economics - Varna Science Fund.


REFERENCES

[1] L. Hasana and E. Abuelrub. 2011. Assessing the quality of web sites. In: Applied Computing and Informatics. Vol. 9, issue 1, 2011, p. 11-29, DOI: https://doi.org/10.1016/j.aci.2009.03.001

[2] Parusheva, S. A Study on Adoption of Internet Banking and New Direct Banking Channels with Reference to Young Bulgarian Consumers. Journal of Applied Economic Sciences, Craiova: ASERS Publishing, 8, 2018, Spring 2(56), pp.510-519.

[3] Supervised entities. Service providers supervised by the Financial Supervisory Authority (FIN-FSA), (retrieved 15.10.2017)

[4] Petrov, P., Trends in the Use of Web Server Software in Bulgarian Banks. In: International Conference on Application of Information and Communication Technology and Statistics in Economy and Education (ICAICTSEE-2012), UNWE, 2012, pp.359-364.

[5] Dickinger, A., Stangl, B., Website performance and behavioural consequences: A formative measurement approach. In: Journal of Business Research, Volume 66, Issue 6, 2013, pp.771-777.

[6] Apache HTTP Server Project. Apache httpd 2.2 vulnerabilities, https://httpd.apache.org/security/vulnerabilities_22.html (retrieved 15.01.2018).

[7] Hodges, J., Jackson, C., Barth, A., HTTP Strict Transport Security (HSTS), 2012, https://tools.ietf.org/rfc/rfc6797.txt (retrieved 20.01.2018)

[8] Chang, L., Hsiao, H., Jeng, W., Kim, T., Lin, W., Security Implications of Redirection Trail in Popular Websites Worldwide. In: Proceedings of the 26th International Conference on World Wide Web, 2017, pp.1491-1500.

[9] Ross, D., Gondrom, T., Stanley,. T., HTTP Header Field X-Frame-Options, 2013, https://tools.ietf.org/rfc/rfc7034.txt

[10] Some, D., Bielova, N., Rezk, T., On the Content Security Policy Violations due to the Same-Origin Policy. In: Proceedings of the 26th International Conference on World Wide Web, 2017, pp.877-886.

[11] Kisa, K., Tatli, E., Analysis of HTTP Security Headers in Turkey. In: International Journal of Information Security Science, 2016, 5(4), pp.96-105.

[12] Kuyumdzhiev, I. Controls Mitigating the Risk of Confidential Information Disclosure by Facebook: Essential Concern in Auditing Information Security. In: TEM Journal, 3, 2014, 2, pp.113-119.