I was browsing news feeds and read an article about Danske Bank not using SHA-256 certificate (article in Tivi, in Finnish only) in its online bank. "So what? Big deal, huh. Nobody else does either." was my instant thought. 15 seconds later ... but do they really? Let's investigate.
The reasoning about the article is, that Goole is Gradually sunsetting SHA-1. That is something they announced in September 2014, giving plenty of time for service admins to react. Google's Chrome will display HTTPS using less than SHA-256 signed certificate which is valid past 1st Jan 2017 like this:
Anbody, who takes your security seriously will be displayed like this:
The difference is with the green lock, or lack of it. Most users don't care about the lock anyway, so lot of fuss about nothing.
The bad
| Organization | URI | Expiry | Certificate signature | Certificate issuer | Intemediate certificate issuer(s) |
|---|---|---|---|---|---|
| Danske Bank | www.danskebank.fi | 2017-06-20 | SHA-1 | GMO GlobalSign | |
| OP-Pohjola | www.op.fi | 2015-12-12 | SHA-1 | Symantec | VeriSign |
| Nordea Pankki | solo1.nordea.fi | 2016-04-22 | SHA-1 | VeriSign | |
| Ålandsbanken | online.alandsbanken.fi | 2015-07-29 | SHA-1 | DigiCert | |
| POP Pankki | www.poppankki.fi | 2017-03-28 | SHA-1 | VeriSign | |
| Luottokunta (Nets) | dmp2.luottokunta.fi | 2016-03-03 | SHA-1 | VeriSign | |
| Paytrail | account.paytrail.com | 2015-05-15 | SHA-1 | VeriSign |
The good
| Organization | URI | Certificate signature | Certificate issuer | Intemediate certificate issuer(s) |
|---|---|---|---|---|
| S-Pankki | www.s-pankki.fi | SHA256 | Symantec Class 3 EV SSL CA - G3 (SHA256) | VeriSign |
| Aktia Pankki | auth.aktia.fi | SHA256 | Symantec Class 3 EV SSL CA - G3 (SHA256) | VeriSign |
| Säästöpankki | www4.saastopankki.fi | SHA256 | Symantec Class 3 EV SSL CA - G3 (SHA256) | VeriSign |
| Handelsbanken | www4.handelsbanken.fi | SHA256 | Symantec Class 3 EV SSL CA - G3 (SHA256) | VeriSign Class 3 Public Primary Certification Authority - G5 (SHA-1) |
The conclusion
Apparently somebody does. 
As it happens, all the banks having SHA-256 certificates are from same source: Symantec/Verisign. However, most of the institutions haven't had the time to react. There is no point to finger point (pun intended) one of them.
The information was gathered with Gnu TLS command-line tool (gnutls-cli --print-cert).