Keywords: Finland commercial banks, web technologies, home page, web site, SSL certificate
As Internet plays a major role in our life, banks’ websites are been frequently selected from potential and existing clients to obtain financial information for their needs. A bank’s website plays a role of an extension and augmentation of a traditional physical bank office and offers a variety of financial services. The home page is the entry point to the bank’s web site, which provides useful information about various financial services. Most of the impressions for the bank the the web site visitor gain from its main page and various types of criteria could be used in order to evaluate the quality - content quality, design quality, organization quality, and user-friendly quality [1, 2]. In our opinion, quality could be measured by the perceptions of many ordinary users or few experts, but it could also be measured by direct quantitative measures, which represent the proportion of web components that make up the main page.
The purpose of this publication is to summarize the information gathered in the course of research about web technologies used in the home pages of the Finland commercial banks in November 2017. The list of commercial banks authorized to operate in Finland is taken from the “Supervised entities”  of the Finland Financial Supervisory Authority (FIN-FSA) website. The list contains 948 supervised entitles undertakings operations in the domestic financial market, but we select only domestic ones commercial banks (see Table 1). Table 1 does not include foreign credit institutions’ branches in Finland from EEA countries and also: savings banks, limited-liability savings banks, mortgage banks, member cooperative banks (http://www.osuuspankki.fi/), local cooperative banks (http://www.poppankki.fi/) and other financial institutions. Table 1 lists only commercial banks under supervision of FIN-FSA. It’s should be noted that meanwhile “Danske Bank Plc” became a branch of its Danish parent company - “Danske Bank A/S” at the end of the year 2017. Therefore, it is no longer in the list, but during our research, it was still under supervision of FIN-FSA and was considered by us as domestic commercial bank.
Table 1: Commercial banks supervised by the Finland Financial Supervisory Authority (FIN-FSA) .
|№||Commercial bank||URL of the home page|
|1||Aktia Bank p.l.c.||http://www.aktia.fi|
|2||Bank of Åland Plc||http://www.alandsbanken.fi|
|3||Bonum Bank Plc.||http://www.bonumpankki.fi|
|4||Central Bank of Savings Banks Finland Plc||http://www.spkeskuspankki.fi|
|5||Danske Bank Plc||http://www.danskebank.fi|
|6||Evli Bank Plc||http://www.evli.com|
|7||OP Corporate Bank plc||http://www.pohjola.fi|
|9||Suomen Asuntohypopankki Oy||http://www.hypo.fi|
In our study home pages of 9 commercial banks were inspected during the month of October 2017. The main method used in the survey includes analyses of the response given by the web servers. Although these home web pages are intended for the same audience, their structure and contents vary broadly. Google Chrome ver.59 was used as a web client with “Developer tools” module activated. It should be noted that this module has not been developed specifically for similar studies, but it is a very useful tool in such cases. The process of inspection is done manually by expert estimation. Other approaches to do the same research includes using command line tools as cURL or Wget , but using real web browser is more straightforward.
The summarized results of the studied home pages are presented in eight tables (Table 2 - 8) based on the following key indicators: number of requests sent and the size of the whole page and broken down by components; Maximum supported HTTP version, Server type and Keep-Alive parameter; and the content of various security related fields in the HTTP response, the issuer and validity length of the SSL certificate.
The numbers in the first column of the next tables corresponds to the numbers in the first column on Table 1.
Table 2: Total number of requests sent in order the main page to be shown and the share of individual components broken down by types.
|№||Total number of requests||Main HTML file [%]||CSS files [%]||Font files [%]||Image files [%]||JS files [%]||AJAX traffic [%]|
(The numbers in the second column “Total number of requests” are in absolute values. The numbers in the following right columns are in relative values and are represented as percentage of the total. The sum of the percentages is not 100 because the other traffic is not included in the table.)
Table 3: Averages of number of requests from Table 2.
|Range||Mean ±SD||Median (IQR)|
|Total number of requests||18-166||64 ±40||62 (44-67)|
|Main HTML file, [%]||1-6||2 ±1||2 (1-2)|
|CSS files, [%]||6-17||10 ±4||10 (7-13)|
|Font files, [%]||0-22||7 ±7||5 (1-10)|
|Image files, [%]||20-74||41 ±17||34 (32-47)|
|JS files, [%]||10-53||27 ±13||22 (21-29)|
|AJAX traffic, [%]||0-21||5 ±6||3 (0-4)|
The data in Table 4 and Table 5 shows that the mean home page size is around 2.5MB and varies between 32KB to 13MB. Obviously, there is one outlier (№9 - Suomen Asuntohypopankki Oy) who distorts the meaning of the arithmetic mean and the median prove this - 1.3MB is more closer to the central tendency.
Table 4: Total size of the main web page and the share of individual web components broken down by types.
|№||Total size,[MB]||Main HTML file [%]||CSS files [%]||Font files [%]||Image files [%]||JS files [%]||AJAX traffic [%]|
Table 5: Averages of web component sizes from Table 4.
|Range||Mean ±SD||Median (IQR)|
|Total size, [MB]||0.32-12.91||2.5 ±3.7||1.3 (0.65-1.59)|
|Main HTML file, [%]||2-15||7 ±5||4 (3-9)|
|CSS files, [%]||1-34||10 ±10||6 (4-13)|
|Font files, [%]||0-15||7 ±6||3 (2-13)|
|Image files, [%]||17-84||41 ±19||35 (28-49)|
|JS files, [%]||9-60||35 ±16||40 (23-44)|
|AJAX traffic, [%]||0-2||0 ±1||0 (0-0)|
The data in Table 6 shows, that only one of the surveyed web sites are using the latest protocol HTTP/2. The others are using HTTP 1.1 and eventually older versions as well (HTTP 1.0 and HTTP 0.9). The web server setting for the Keep-Alive parameter is used by only two web sites and both are set to 5 seconds timeout for the opened network connection with maximum of 100 served requests. The rest are not providing such kind of information at all.
Table 6: Maximum supported HTTP version, Server type and Keep-Alive parameter.
|№||Maximum supported HTTP version||Server||Keep-Alive, Timeout||Keep-Alive, Maximum served files|
|3||1.1||Apache/2.2.3 (CentOS); X-Powered-By: PHP/5.1.6||-||-|
|6||1.1||Apache/2.4.7 (Ubuntu); Apache-Coyote/1.1||5||100|
|7||1.1||X-Powered-By: Servlet/2.5 JSP/2.1||-||-|
|9||1.1||Apache/2.4.10 (Debian) PHP/5.6.30-0+deb8u1 OpenSSL/1.0.1t||5||100|
One of the web servers is rather old and many security vulnerabilities was reported and fixed meanwhile. Among the most important vulnerabilities are: “Apache HTTP Request Parsing Whitespace Defects”, “mod_mime Buffer Overread”, “ap_find_token() Buffer Overread”, “mod_ssl Null Pointer Dereference”, “ap_get_basic_auth_pw() Authentication Bypass” and “Uninitialized memory reflection in mod_auth_digest” . Of course the main duty of the bank’s system administrators are regularly to patch the various systems, but it will be better to upgrade to version 2.4 instead of patching. It should be noted that the information that the web server provides about itself could be not real. The system administrator could put different settings in the configuration files in order to make false impression about the used software, version, installed modules or plugins and so on. This practice is not common but could be used in some cases, so the provided data in Table 6 about the used web server software should not be accepted unreservedly.
The data in Table 7 shows, that many websites use security related fields in the HTTP response. The presence of “Strict-Transport-Security” field on a supported browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS [7, 8]. The “X-Frame-Options” field in the response header provides protection against the so-called “Clickjack attack”. The parameter “SAMEORIGIN” instructs the browser to render the web page in a <frame>… <iframe> tags only if the domain of the two pages is the same. The parameter “DENY” instructs the browser that the page cannot be displayed in a frame, regardless of the web site which attempting to do so [9, 10]. The “X-XSS-Protection” provides protection against the so-called “Cross-Site Scripting Attack” [11, 12]. The parameter “1; mode=block” instructs the browser to block rendering of the web page if such type of attack is detected.
Table 7: The content of various security related fields in the HTTP response, the issuer and validity length of the SSL certificate.
|4||max-age=31536000; includeSubDomains; preload||SAMEORIGIN||1;mode=block|
The data in Table 8 shows that near 56% of the web sites are using 1 or 2 years-long Symantec SSL certificate. One of them is not using HTTPS at all.
Table 8: The issuer and validity length of the SSL certificate.
|№||SSL Certificate Issuer||Years|
|1||Symantec Class 3 EV SSL CA - G3||1|
|2||DigiCert SHA2 High Assurance Server CA||2|
|3||- (no HTTPS support)||-|
|4||Symantec Class 3 Secure Server CA - G4||1|
|5||GlobalSign Extended Validation CA - SHA256 - G3||2|
|6||Symantec Class 3 EV SSL CA - G3||2|
|7||Symantec Class 3 EV SSL CA - G3||1|
|8||Symantec Class 3 EV SSL CA - G3||2|
|9||DigiCert SHA2 Extended Validation Server CA||2|
The size of the home pages and the share of different groups of web components all together with the number of requests in order to retrieve them in our opinion is a very important parameter to measure. As it is well known, if all other factors are equal, the bigger a web page is, the longer it takes for all the required resources to be loaded and for the web page to be displayed. Since the home page is one of the most viewed pages of the web site, it plays a very important role. The images are responsible for the major part of an average home page size.
Our study found that most of the web sites are using custom fonts. More frequently are used 3-4 fonts but in some cases (http://www.hypo.fi) the number of fonts is extremely large - 17. The large number of font files typically raises the traffic with 200-300 KB and brings the question: “Why embedded in the operating systems fonts are not good for web pages?”. In order custom fonts to be loaded there are three most popular options: self-hosted fonts, using Google Fonts (https://fonts.google.com/) and using Adobe Typekit (https://typekit.com/fonts) services. The last two services have free and paid plans for usage.
Reducing the size can be achieved by removing unnecessary scripts or frameworks, using a built in the OS font (also known as “web-safe” fonts). These optimizations procedures can improve home page loading speed.
The results of our study could be used as a guide for good and bad practices, because highly qualified personnel is employed in the credit institutions and usually the decisions are based on the best known practices in order to minimize risks and at the same time to attract customers. In these institutions there is no lack of funding, so money is not a problem and there are opportunities to use any (including expensive) software. We believe that the web server is more than a key component of the banks IT infrastructure. It has become an integral part of every aspect of banks’ online business, so security and performance cannot be sacrificed for any reason.
This work was partially supported by the NPI 9⁄2017 Project from University of Economics - Varna Science Fund.
 L. Hasana and E. Abuelrub. 2011. Assessing the quality of web sites. In: Applied Computing and Informatics. Vol. 9, issue 1, 2011, p. 11-29, DOI: https://doi.org/10.1016/j.aci.2009.03.001
 Parusheva, S. A Study on Adoption of Internet Banking and New Direct Banking Channels with Reference to Young Bulgarian Consumers. Journal of Applied Economic Sciences, Craiova: ASERS Publishing, 8, 2018, Spring 2(56), pp.510-519.
 Supervised entities. Service providers supervised by the Financial Supervisory Authority (FIN-FSA),
 Petrov, P., Trends in the Use of Web Server Software in Bulgarian Banks. In: International Conference on Application of Information and Communication Technology and Statistics in Economy and Education (ICAICTSEE-2012), UNWE, 2012, pp.359-364.
 Dickinger, A., Stangl, B., Website performance and behavioural consequences: A formative measurement approach. In: Journal of Business Research, Volume 66, Issue 6, 2013, pp.771-777.
 Apache HTTP Server Project. Apache httpd 2.2 vulnerabilities, https://httpd.apache.org/security/vulnerabilities_22.html (retrieved 15.01.2018).
 Hodges, J., Jackson, C., Barth, A., HTTP Strict Transport Security (HSTS), 2012, https://tools.ietf.org/rfc/rfc6797.txt (retrieved 20.01.2018)
 Chang, L., Hsiao, H., Jeng, W., Kim, T., Lin, W., Security Implications of Redirection Trail in Popular Websites Worldwide. In: Proceedings of the 26th International Conference on World Wide Web, 2017, pp.1491-1500.
 Ross, D., Gondrom, T., Stanley,. T., HTTP Header Field X-Frame-Options, 2013, https://tools.ietf.org/rfc/rfc7034.txt
 Some, D., Bielova, N., Rezk, T., On the Content Security Policy Violations due to the Same-Origin Policy. In: Proceedings of the 26th International Conference on World Wide Web, 2017, pp.877-886.
 Kisa, K., Tatli, E., Analysis of HTTP Security Headers in Turkey. In: International Journal of Information Security Science, 2016, 5(4), pp.96-105.
 Kuyumdzhiev, I. Controls Mitigating the Risk of Confidential Information Disclosure by Facebook: Essential Concern in Auditing Information Security. In: TEM Journal, 3, 2014, 2, pp.113-119.