|
|
Very odd as firefox, google, internet explorer told me to get out of this site, not connected to secure!
https://s16.postimg.org/hpzpb6erp/dslchecker.jpg
|
|
|
Well I am only getting it on Chrome, IE and Edge are fine.
Chrome says the following:
Obsolete Connection Settings
The connection to this site uses an obsolete protocol (TLS 1.0), a strong key exchange (ECDHE_RSA with P-256), and an obsolete cipher (AES_128_CBC with HMAC-SHA1).
So they need to recreate their Certs.
Tell a lie, Edge are flagging it just not showing a notifications apart from within the development tools.
SEC7132: The certificate protecting this website uses weak cryptography (SHA1). The website should replace this certificate with an SHA2 certificate before SHA1 is no longer allowed.
So yeah
It seems noting has changed on the site Certificate wise, just that the browsers are now starting to moan about old versions of encryptions.
As far as I can see the cert was last updated on 14th April 2014 00:00:00 and will expire on 12th June 2017 23:59:59.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
I mentioned it to BTCare Twitter on the other day - they say "it works fine" and nothing more. Think they don't fully understand...
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
Probably this is the reason. It's asking for phone number and/or address.
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Edited by RobertoS (Mon 20-Feb-17 08:26:35)
|
|
|
just wait till it gets blocked, suddenly it will get fixed overnight, its how these large companies work, security is always deemed as "unneeded expense and manpower".
|
|
|
|
BT have a full internal pentest team and generally spend a fair bit. I'm surprised it hasn't been dealt with already.
|
|
|
|
Large companies are made up of lots of individual people. The ones who set, or change security policy are a long way from the people who renew certificates.
This is more likely on the Gantt chart of some individual project manager, for some individual support engineer to work on, based on the expiry date.
It will change from unimportant to vital overnight, when the appropriate day rolls on.
If browsers start to block users early, then that job will be bumped up, so I agree with that. A smart support engineer will then trigger other certificates to be checked, but that probably depends on the experience level of the individual who gets allocated the job when it turns up.
|
|
|
they not doing a great job then as I have come across various issues on BT hosted sites over the years, issues that should be extremely basic to pick up by any experienced security bod.
|
|
|
an example is tesco, sometime a year or two ago, I couldnt access a page which prevented me doing an order, when I rang up the guy said tesco were aware already a few months back of the problem but they were not aware chrome started blocking their website, of course once they was aware of the latter it got fixed pretty quickly before it started affecting the bottom line.
|
|
|
Probably this is the reason. It's asking for phone number and/or address.
Its not that.
Their HTTPS Certificate is using TLS 1.0 which is old and not as secure as 1.1 and 1.2.
Edge reported it as not secure due to using TLS 1.0, the page was encrypted but not secure as it could be.
Basically its not the RSA Certificate its how they have setup the SSL side of their server.
Let me run some tests to do with how secure their site is and I will get back.
*** update ***
I just run some Security Checks on the dsl checker and it fails the tests.
They even have SSL3 which has exploits and should never be used.
They get a rating of F where as it should have a rating of A or A+
This is a rating of one of my sites, as you will see its rated A+
I will email one of the people I have spoken to at BT Wholesale.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Edited by PaulKirby (Mon 20-Feb-17 18:28:03)
|
|
|
|
I have inform BT about this. They say it all working fine, all fixed. But I don't think they never understand the dslchecker still not secure on firefox and google chrome.
Internet Explorer are working fine.
|
|
|
I have inform BT about this. They say it all working fine, all fixed. But I don't think they never understand the dslchecker still not secure on firefox and google chrome.
Internet Explorer are working fine.
Yes IE and Edge do work fine, but if you open up the developer tools and check the console messages you will see the warning.
SEC7132: The certificate protecting this website uses weak cryptography (SHA1). The website should replace this certificate with an SHA2 certificate before SHA1 is no longer allowed.
www.dslchecker.bt.com
I have sent a very detailed email of the issue and what exploits they webservers are vulnerable to that could gain the attacker access to the server in question itself and then access to all the database servers that server has access to.
I have also told them they can contact me for more information if needed and also if this security blunder isn't resolved within a reasonable time I will be contacting the Chairman's office due to our private information like address and phone number, mu phone number is ex-directory and a hacker would have access to both information breaking the privacy act.
The sad thing is they have no clue what they are doing, they webserver is vulnerable to the SSL3 POODLE Exploit, if you are unaware of that exploit do a google search.
I am about to sent BT a tweet with an image of the vulnerable areas, maybe this approach will get it resolved.
*** update ***
Tweets sent.
Also its only the DSL Checker that is insecure with all the exploits, the main BT Site (i.e. https://home.bt.com) has a rating of A, its not perfect but its secure.
Lets now see what becomes of it 
I bet I get told to remove my Tweets due to it exposes what its vulnerable to.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Edited by PaulKirby (Mon 20-Feb-17 20:09:56)
|
|
|
I post this to PN forum as someone deleted my post by PN staff. Disgusted because PN are the isp can report this to BTWholesale of dslchecker not secure.
I was surprise no one from many isp's can see this and doesn't want to get involved.
Edited by adslmax (Mon 20-Feb-17 22:20:18)
|
|
|
I post this to PN forum as someone deleted my post by PN staff. Disgusted because PN are the isp can report this to BTWholesale of dslchecker not secure.
I was surprise no one from many isp's can see this and doesn't want to get involved.
Well that doesn't sound good
Well I am going to give BT 7 to 10 days to respond to my Email and Tweets and if nothing is heard I will be forwarding this to the chairman's office because the dsl checker is part of BT's network and should be responsible for keeping it secure like they do with their main site.
All it would take them to resolve the issues is about 20 mins if that.
One of the sites that I run which I including in one of the links use to be rated D to F when I was unaware of all the issues and after 20 to 30 mins of me not being a Linux Guy I now have it rated at A and A+.
So surely they tech people responsible to maintain those servers would have the knowledge to keep it up to date.
They are not even using the latest protocols and the ones they do have exploits or on their way out like TLS1.0
Maybe the tech people in question are the same support people that BT were currently using which are located overseas LOL
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
The certificate problem is the sha1 hash.
The ciphers used are independent of the certificate and is how their web server is configured.
There is more problems tho.
The ssl libraries have not been patched for over a year, so its vulnerable to things like POODLE, no forward secrecy support in mainstream browsers, no TLS 1.2 support, its preferred cipher is 3DES which was favoured in windows XP and IE6 days. As I said before typical of a large company, the server itself has probably been untouched for several years. It also still has sslv3 enabled.
Edited by Chrysalis (Tue 21-Feb-17 06:06:27)
|
|
|
The certificate problem is the sha1 hash.
The ciphers used are independent of the certificate and is how their web server is configured.
There is more problems tho.
The ssl libraries have not been patched for over a year, so its vulnerable to things like POODLE, no forward secrecy support in mainstream browsers, no TLS 1.2 support, its preferred cipher is 3DES which was favoured in windows XP and IE6 days. As I said before typical of a large company, the server itself has probably been untouched for several years. It also still has sslv3 enabled.
Wasn't that was I already said in my posts, but yeah, I agree with them not touching their server for a long time.
OpenSSL has been patched many times over the last several years, theirs hasn't, the security status of SSL3 was posted many years ago and was advised to disable it and use TLS and newer versions of TLS like version TLSv1.2 and soon to be TLSv1.3, TLSv1.0 is on its way out due to some security issues.
The SHA1 (128 bit) has is insecure due to all hashes are known just like MD5 so that's why its throwing an issue with SHA1.
Well I have still yet to hear anything from my Email and any of my Tweets sent to various BT sections, even with physical evidence handed to them there has been no response as yet.
Also I think they are holding off until June because the Cert expires on Mon, 12 Jun 2017 23:59:59 UTC (expires in 3 months and 22 days) its still not right and they should still resolve the rest of the issue now.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Edited by PaulKirby (Tue 21-Feb-17 19:53:13)
|
|
|
I hope you sent them from a mobile data link, not your FTTP connection ....
[chuckle] LOL
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
|
|
|
I hope you sent them from a mobile data link, not your FTTP connection ....
[chuckle] LOL
LOL, you know what, my Sister said the exact same when I told her last night.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
Yes, she and I agree on quite a lot.
.
.
.
.
.
.
.
.
.
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
|
|
|
|
MrSaffron should take this action against BT. But, I think he wouldn't bothered.
|
|
|
Yes, she and I agree on quite a lot.
.
.
.
.
.
.
.
.
.

LOL
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
MrSaffron should take this action against BT. But, I think he wouldn't bothered.
Well I am giving them until the weekend and if nothing has happened by then I will be notifying the Chairman's Office.
Hopefully they will get it sorted.
It just makes me laugh really, BT post loads of tweets about security and scam emails an phone calls and one of their own servers have a security hole.
Now what is scary is suppose a hacker managed to gain access to said server due to all the security holes.
Now there is nothing stopping that said hacker from gaining access to the database which may or may not have all our information like address, phone number account information including our email address used on our BT account.
Now suppose they have said above information, there is nothing stopping them from sending us scam emails, these emails would seem legit due to they originating from one of BT's Mail Servers.
So this really needs to be resolved and the security whole closed before any of this could happen.
Maybe I am paranoid, but if BT are that sloppy in keeping that server up to date and secure, who knows what lack of security internally.
This can and does end up in mail servers being black listed.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Edited by PaulKirby (Tue 21-Feb-17 22:52:16)
|
|
|
yes I meant the libraries on their server.
When the cert expires the new one will be sha256, as sha1 certs are no longer allowed to be issued.
Edited by Chrysalis (Wed 22-Feb-17 06:52:26)
|
|
|
yes I meant the libraries on their server.
Ah, ok.
When the cert expires the new one will be sha256, as sha1 certs are no longer allowed to be issued.
Well it depends on where you get your certs from, I can as far as I know still request verified certificate with a signature hash algorithm of sha1, not that I would do that.
I know I made a mistake about a year ago when I typed in sha1 instead of sha256 and they issued them fine, I then started playing with other flags like key sizes to see how high I could get it before they moaned, got bored at 32768 Bit keys, plus I didn't want to annoy the issuer
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
Well I received the following tweet reply from BTCare:
Hi Paul, thanks for that. I'll pass this info on up the chain ^Ronan
I bet it doesn't go any further.
An update...
After a chat via DM (Private Chat)
Thanks for that Paul,
I've passed that onto BT security to investigate.
We appreciate the heads up
Ronan
One thing I did notice just now is that they have disabled SSL3, so that's a small part resolved, so maybe they are working on it.
So now they just need to do all the security updates on the server, update the security suit to use TLS 1.2 as default and fall back to TLS 1.1.
Then just renew the certificate with a signature hash of SHA256 or better and it should be done
Oh and top of that I now have another follower
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Edited by PaulKirby (Wed 22-Feb-17 09:42:03)
|
|
|
still the same.
Your connection is not secure
The owner of www.dslchecker.bt.com has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.
Learn more�
Report errors like this to help Mozilla identify and block malicious sites
|
|
|
still the same.
Your connection is not secure
The owner of www.dslchecker.bt.com has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.
Learn more�
Report errors like this to help Mozilla identify and block malicious sites
Yep, well this might take time due to it being pass onto the security team.
The sad and worrying thing is if the security team passes it onto the numbnuts that is responsible for looking after that said server who thinks the server is secure.
That's fine, they still have a few days yet before I send that email.
Ok, I have just set another private tweet to BT asking if there was any response from their security team and that if it doesn't get resolved by the 27th (this Monday) I will be notifying the chairman's office and let his office deal with the issue.
I normally get a phone call when dealing with his office and it would be much easier to explain on the phone.
But I have a feeling that it still won't be resolved.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
I hope you sent them from a mobile data link, not your FTTP connection ....
[chuckle] LOL
I just realised even if I did use my mobile data, BT would still know its me because I am with T-Mobile, which is owned by EE and guess who owns EE, yep you guessed it BT.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
Well aside from BT changing the TLS certificate to one that's more secure, it's also very poor that the http version of the checker does not automatically 301 redirect to the https version.
Oliver.
|
|
|
Well aside from BT changing the TLS certificate to one that's more secure, it's also very poor that the http version of the checker does not automatically 301 redirect to the https version.
The redirect would be set in the equivalent to Virtual Host if they were using Apache, however its Oracle which is based off Apache.
Or they could use .htaccess to auto redirect I have used both on my sites before.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
|
Any latest on this please?
Still the same on firefox, google chrome not secure! It's seem BT haven't fixed it.
|
|
|
Any latest on this please?
Still the same on firefox, google chrome not secure! It's seem BT haven't fixed it.
IE and Edge also says its not secure in their console via the development tools section.
As for anything being done yet.
Nope, no change, I know I was at one point in contact with BT over this.
BT have also told me notifying the Chairman's Office wouldn't solve anything due to it would get forwarded to the same Security Team.
So they now have until the 6th to resolve the issue or I will send those emails.
Maybe they are commissioning a new server and we all know how long BT takes to commission stuff don't we
As to the state of that actual server, we already know that it hasn't had any security updates for at least several years, so the OS its using is also probably out of date too and where some of the security updates can and do require an up to date version of the OS.
So what started as just a security update now requires a full OS upgrade, might just be better to install a new server install all the required software etc and once completed just swap them over, and job done.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
|
Perhaps it isn't a big issue from their perspective. Maybe it doesn't matter to them that it is insecure. Not knowing how they have it setup it may be a standalone server with no actual sensitive data on it and it could be sitting in it's own firewalled DMZ with NAC/NAP protecting the network. If they install it that way then whilst someone could compromise that server they wouldn't be able to do anything particularly significant.
Now, chances are it isn't like that and there are probably other servers in that DMZ and it may have a connection back to a database in the core network - but you cannot assume that is definitely the case.
Also, they may have a large number of IT projects in train and may have to prioritise which ones they are working on - therefore depending on the level of risk this may just not be top of the list.
|
|
|
Or just withdraw it from public availability.
For which none if us would thank the complainers. All the site sees from me is my IP address, just like any other. Incidentally I'm getting no objection from IE 11 on Windows 10 on two machines, one with Kaspersky and one with Norton, or Safari on an iPad.
It appears that CPs may be able to get further information via an account-related entry point. Those CPs one would expect to be entering on a more secure login.
...
BT Wholesale login is indeed https.
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Edited by RobertoS (Wed 01-Mar-17 10:29:45)
|
|
|
Or just withdraw it from public availability.
For which none if us would thank the complainers. All the site sees from me is my IP address, just like any other. Incidentally I'm getting no objection from IE 11 on Windows 10 on two machines, one with Kaspersky and one with Norton, or Safari on an iPad.
IE and Edge on Windows 10 does moan about it, but not a on the main screen, to see the warning message you need to go into the "F12 Developer Tools" section and then the "Console Tab" then refresh the page an you will see it pop up on the console window.
So Edge and IE are having the insecure issue as Chrome and Firefox, the only difference is that IE and Edge don't stop your browser.
It appears that CPs may be able to get further information via an account-related entry point. Those CPs one would expect to be entering on a more secure login.
...
BT Wholesale login is indeed https.
If they are accessing the same server then their login will be as insecure as everyone else's.
But I am sure they use a different sub domain for them to login, which might be a different server and use a different CERT.
But we are talking about BT here.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
https://www.btwholesale.com/portalzone/login/forceLoadLogin.do
http://www.dslchecker.bt.com/adsl/adslchecker.welcome
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
|
|
|
Or just withdraw it from public availability.
Hope not. Max would get withdrawal.
|
|
|
It's a distinct possibility I'm afraid. Ten minutes work.
I'm quite worried by people on this forum pursuing the (non-)issue.
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
|
|
|
https://www.btwholesale.com/portalzone/login/forceLoadLogin.do
http://www.dslchecker.bt.com/adsl/adslchecker.welcome
Yeah, the wholesale site is using a good CERT, shown below:
[Connection]
Protocol: TLS 1.2
Key Exchange: ECDHE_RSA
Key Exchange Group: P-256
Cipher: AES_128_GCM
Signature hash algorithm: sha256 <-- This was the main issue on the dslchecker site where it was SHA1.
Public Key: RSA (2048 Bits)
So all good there.
The security of the server is rated as B because of the following:
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »
This server accepts RC4 cipher, but only with older browsers. Grade capped to B. MORE INFO »
RC4 on that server needs resolving, Cipher Suites needs tweaking along with some minor stuff, but apart from that the server isn't that bad.
So if they resolved the RC4 issue and the minor tweaks that server would be rated A.
Now would I use that server, I probably would, but I would disable all the non secure Cipher client side (if I haven't already) that would force them to use another one you and the server have available.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
Or just withdraw it from public availability.
Hope not. Max would get withdrawal.
LOL
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
It's a distinct possibility I'm afraid. Ten minutes work.
It could take just over that to resolve the issue.
I'm quite worried by people on this forum pursuing the (non-)issue.
I wouldn't say its a non issue, it has security issue on the actual server, and its using an insecure certificate which needs to be fixed, maybe its my OCD kicking in again.
The CERT expires in June so the CERT issue will be resolved then, I am guessing the server "might" be done then.
TBH I haven't really used that site for a few months now, so if they didn't fix the ISSUES on that server its no Biggy, the information on there wasn't that correct anyway.
If I really wanted to get the average fibre speed for a line I would just use the Where and when page.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Edited by PaulKirby (Wed 01-Mar-17 12:04:02)
|
|
|
|
The other thing to consider is that the server has used that cert and those settings probably for a long time. If it wasn't hit before now what makes it suddenly a target - just because now Google/etc tell people it isn't secure doesn't make it any less secure than it was 6 months ago.
|
|
|
Considering the collision exploit that set this whole thing off has only just been carried out in practise at a cost of $7.4m I'd tend to agree with you...
http://www.networkworld.com/article/3173701/security...
|
|
|
|
So it is possible but difficult.
Also, the next question I would pose - if it was not HTTPS at all then would it matter? If the pages were published with no encryption what would anyone watching the traffic find out - I'm thinking not a lot. They could remove the certificate and publish as HTTP and still not be giving away any particularly sensitive data.
|
|
|
All major browser are saying this, not just Chrome.
The issue is where the hashing that their CERT uses (i.e. SHA1) and also that TLS 1.0 is old about to be obsolete and has known security issues.
But yeah its possibly been like that for a while now, its just that our browsers have been updated to notify the users that its not secure and why, which is true and possibly future browser updates will no longer use the obsolete SHA1 hashing and TLS 1.0.
And when that happens nobody will be able to access that site.
Well unless they use the HTTP version or ignore the popup notice.
But my guesses is that it will be resolved in Jun when they renew their CERT which will have SHA256 or better for their hashing.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
So it is possible but difficult.
Also, the next question I would pose - if it was not HTTPS at all then would it matter? If the pages were published with no encryption what would anyone watching the traffic find out - I'm thinking not a lot. They could remove the certificate and publish as HTTP and still not be giving away any particularly sensitive data.
This is true, however any personal information is sensitive data in a way, not as sensitive as credit card information or passwords etc.
TBH I consider my Phone Number and Address sensitive information due to we are ex-directory.
So no I wouldn't use a site that doesn't use a secure site if I am submitting private information.
But saying that, these forums if I recall uses HTTP when you login, but in this case I am using non secure information.
But we will see what happens in June to see whether they renew the CERT or not.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Edited by PaulKirby (Wed 01-Mar-17 14:35:14)
|
|
|
All major browser are saying this, not just Chrome.
Hence my OP says "Google/etc". The etc was covering the others.
|
|
|
All major browser are saying this, not just Chrome.
Hence my OP says "Google/etc". The etc was covering the others.
Ah, ok.
But you are right about it not making it less secure than it was six months ago, its been insecure for many years going by the missing security patches, it was just that we was unaware of it.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
Considering the collision exploit that set this whole thing off has only just been carried out in practise at a cost of $7.4m I'd tend to agree with you...
How we got here:
We have known for more than 10 years that SHA-1 is weaker than intended. The result of this weakness is that eventually, using the same approach as in Google's Proof Of Concept this week, bad guys would be able to make two documents which SHA-1 treated as the same, if the documents were SSL certificates instead of PDF files, this would enable bad guys to present one certificate to be signed, but then actually use the signature on a different certificate. Like if you got some fool to sign a blank cheque.
This really happened for SHA-1's predecessor, MD5, academic researchers got themselves a bogus certificate this way in 2008, and James Bond types seem to have done it again in the "Flame" malware program which has a fake Microsoft certificate. Both were MD5 which we knew should have been phased out but it wasn't for ages.
By 2014 it was apparent that this would happen soon for SHA-1 too. Certificate Authorities agreed to stop issuing all SHA-1 certificates before 2016, and Browser vendors agreed to stop accepting these certificates in 2017.
The idea was that if you can't get a new certificate, you can't use the attack (you can't use this attack on an existing certificate, it's just a way to trick people when issuing a new one), and if browsers stop trusting the certificates, there will be no incentive to break the rules and issue one anyway. During 2016 we had a few dozen incidents where we caught CAs issuing old SHA-1 certificates "by mistake" and some got in lots of hot water for it, but overall things went pretty well.
So, the DSL checker site isn't "more vulnerable" per se as a result of this old SHA-1 certificate, but we had to mark it as untrusted or else the whole web is effectively left vulnerable. It's like the way Australia was really angry about Johnny Depp's dogs. _Those_ dogs were probably fine on their own, but Australia needs strict rules to protect the weird Australian native wildlife, so it can't just let people disobey the rules like it's no big deal.
BT will have been told, repeatedly, by their vendors to fix this, most certificate vendors offered free re-issues to anyone who might be affected. But I guess no-one at BT cared.
|
|
|
Well it depends on where you get your certs from, I can as far as I know still request verified certificate with a signature hash algorithm of sha1, not that I would do that.
I know I made a mistake about a year ago when I typed in sha1 instead of sha256 and they issued them fine, I then started playing with other flags like key sizes to see how high I could get it before they moaned, got bored at 32768 Bit keys, plus I didn't want to annoy the issuer 
If your certificates come from a public CA (ie they'd be trusted in somebody's web browser) then lots of people would be very interested in seeing a SSL/TLS certificate issued "a year ago" (or today) using SHA1 because this would be a violation of root programme policy and of the Baseline Requirements.
Of course if "a year ago" actually means "It might have been 2015", or if your issuer is only trusted in some poxy local system, like at a bank or somewhere else that doesn't take security as seriously as the Web does then never mind.
|
|
|
So Edge and IE are having the insecure issue as Chrome and Firefox, the only difference is that IE and Edge don't stop your browser. I just went in using Chrome with no problem.
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
|
|
|
Well it depends on where you get your certs from, I can as far as I know still request verified certificate with a signature hash algorithm of sha1, not that I would do that.
I know I made a mistake about a year ago when I typed in sha1 instead of sha256 and they issued them fine, I then started playing with other flags like key sizes to see how high I could get it before they moaned, got bored at 32768 Bit keys, plus I didn't want to annoy the issuer 
If your certificates come from a public CA (ie they'd be trusted in somebody's web browser) then lots of people would be very interested in seeing a SSL/TLS certificate issued "a year ago" (or today) using SHA1 because this would be a violation of root programme policy and of the Baseline Requirements.
Of course if "a year ago" actually means "It might have been 2015", or if your issuer is only trusted in some poxy local system, like at a bank or somewhere else that doesn't take security as seriously as the Web does then never mind.
Well mine are from a Verified CA, but also remember being able to select SHA1 hash signing when I was requesting the first CERT, lucky I was able to change it.
I just checked the command line args and its no longer has the hash signing args there, the rsa key size args are still there which it should be.
So maybe they realised they hadn't updated it and now its changed.
The issuer of my CERTS are Authority X3 level and its issuer is listed as CA X3.
It was either end of 2015 or start / mid 2016 that I got my first CERT.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
So Edge and IE are having the insecure issue as Chrome and Firefox, the only difference is that IE and Edge don't stop your browser. I just went in using Chrome with no problem.
Well mine stopped me with a popup saying this site isn't secure and gave you an opting to ignore the warning and enter the site.
I told it to ignore the warning and also ticked the box and it now lets me in every time but still says in the URL bar "Not secure" in red text.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
Nothing like that. Zilch.
Version 56.0.2924.87
Google Chrome is up to date
Edit: Ah - wait ...
Edit 2: The contents of the URL bar start with a small circle containing the letter "i". Pure black and white. Nothing to raise alarm.
Clicking it gives a low-key warning that the site isn't secure, with a "Learn more" button.
That button merely says the link is not secure, saying the URL starts with http. It then recommends to try altering it to https, and if that doesn't work to contact the site owners and request them to secure the link.
Nothing about the greater security and certificate issues that are being discussed in the thread.
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Edited by RobertoS (Wed 01-Mar-17 17:52:49)
|
|
|
Your viewing the non secure version of the dsl checker.
Now try: https://www.dslchecker.bt.com/ which is what we are on about.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
Are you sure that's what the OP was on about? I shall reply to him asking  .
Edit: But yes, now I see. In Chrome but not IE11.
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Edited by RobertoS (Wed 01-Mar-17 18:50:03)
|
|
|
Very odd as firefox, google, internet explorer told me to get out of this site, not connected to secure!
https://s16.postimg.org/hpzpb6erp/dslchecker.jpg Were you using
http://www.dslchecker.bt.com/adsl/adslchecker.welcome
or
https://www.dslchecker.bt.com/adsl/adslchecker.welcome
?
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
|
|
|
https://www.dslchecker.bt.com
also type in google site 'dsl checkers' and it come out at the top with https://www.dslchecker.bt.com
But now I am using this one instead: http://www.dslchecker.bt.com and it all working ok.
How to change google search to force to use this address instead: http://www.dslchecker.bt.com for future search?
Edited by adslmax (Wed 01-Mar-17 21:37:48)
|
|
|
Don't use google search. Simply favourite/bookmark the one that works.
Alternatively, come back to this post and click this link.
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
|
|
|
good idea, thanks robertos
|
|
|
On another subject I think the way chrome is programmed to handle the issue is quite bad now.
It displays a vague "not secure" message when in the past it would actually tell you whats wrong e.g. a weak cipher, as well as the cipher in use. Yet it doesnt blurt on about plain http been "not secure". So in that respect its misleading.
For one to actually get the information required from chrome now you have to open the developer tools which is pretty ridiculous just to see the cipher details and certificate.
|
|
|
Don't use google search. Simply favourite/bookmark the one that works.
Alternatively, come back to this post and click this link.
Don't take this the wrong way of anything.
Maybe its just the inner Software / Hardware Developer in me talking here or maybe my OCD, but that still doesn't resolve the fact that the SSL side of that site is insecure and that the server has loads of bad security holes in it that really need to be fixed.
And burying your head in the sand by using the non SSL version (i.e. HTTP) of the checker isn't resolving anything apart from stopping the "Not secure" from being displayed.
The SSL side of that site was so that we can enter our information in securely without the man in the middle peeking at our information.
Anyway that's my rant over on this subject.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
TBH I have never liked Chrome, but due to what I do I have to cater for it
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
Not a problem Paul.
My concern is not for the BT Wholesale server as a whole, but simply for the continuing availability of this facility to the public.
It is hugely important to the central purposes of this site that it continues.
By hammering BT in the way that has been suggested in this thread, including the possibility of attacking the server and bringing it down, the danger of the facility being simply withdrawn becomes extremely high.
I wish everyone would simply desist. I'm sure the messages to BT that posters here have sent will have been noted. As has been posted a few times, when the certificate is renewed in the near future the issue should be resolved.
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
|
|
|
I just checked the command line args and its no longer has the hash signing args there, the rsa key size args are still there which it should be.
So maybe they realised they hadn't updated it and now its changed.
The issuer of my CERTS are Authority X3 level and its issuer is listed as CA X3.
It was either end of 2015 or start / mid 2016 that I got my first CERT.
Let's Encrypt, the issuer you're talking about, literally hasn't ever offered SHA1 certificates. So, your memory is playing tricks on you. But thanks for checking.
|
|
|
when the certificate is renewed in the near future the issue should be resolved.
Well that would be a huge part resolved, but the server would still need to have all the security patches installed to close up all the holes and some tweaks to the Protocols used (disable SSL3, Enable TLS1.1, TLS1.2) and tweak the Cipher Suits to the changed Protocols and that's it.
If BT don't at least do the tweaks the secure side of things would just stop working due to TLS1.0 is just for testing stuff now days and is due to be retired and the server should really be using TLS1.2 first, then fall back to TLS1.1 and then just return back that it has failed to pick a protocol.
BTW all these tweaks only require editing a config file and that's it, plugging the holes would require stuff being installed, but if the tweaks are done it might remove the need to do most of the patches due to the software with the holes are disabled.
But at least the info we send would be securely encrypted.
As for the site to continue, I also wish this, that's why I have only contacted BT the once via twitter.
I was hoping that would of gotten the ball rolling, maybe it has but they have other stuff to do first and where the CERT is due for renewal they might of decided to do it all then.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
Let's Encrypt, the issuer you're talking about, literally hasn't ever offered SHA1 certificates. So, your memory is playing tricks on you. But thanks for checking.
Yeah, its possible, I did try loads of CA's over the years before ending up with Let's Encrypt.
So I might of seen somewhere SHA1 being used by one of the others along with their huge prices.
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
I knew I remembered this thread. Glad I found it again..
I was just going to run a dsl number check and got the same issue as you guys. Insecure Connection warning. It's on FF, Chrome and Opera.
This thread as been going for a few weeks and still no change. A tech company that BT/OR is supposed to be, they really need to be leading the industry, not lagging behind.. smh
Demon => Freeserve => Pipex => Be => Sky => BT Infinity 2
|
|
|
I think people are using a link that they aren't supposed to be using:
All requests for the HTML version of the availability checker should be made to:
http://www.dslchecker.bt.com/adsl/adslchecker.welcome
|
|
|
That worked!
I entered in to google bt dsl checker and the address https://www.dslchecker.bt.com/ comes up. I guess thats a site root page or something.
Demon => Freeserve => Pipex => Be => Sky => BT Infinity 2
|
|
|
LOL
That's the one that has been in my "Useful links" list since 2009.
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65702/13958Kbps @ 600m. BQMs - IPv4 & IPv6
|
|
|
I need to bookmark it lol.
Hmm.. I updated FF and now on the login page of this site its saying its not secure.. I signed in anyways.
Demon => Freeserve => Pipex => Be => Sky => BT Infinity 2
|
|
|
I need to bookmark it lol.
Hmm.. I updated FF and now on the login page of this site its saying its not secure.. I signed in anyways. Easier to bookmark the link  . That was the reason I set up the site in the first place, for my own use. And back then always typing nearly the same thing several times a day to explain things to people. So the information pages saved me a lot of work.
The site has badly needed updating for a while  . (So have I [sad]).
Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65702/13958Kbps @ 600m. BQMs - IPv4 & IPv6
|
|
|
Sorry to keep updating this thread. But the unsecured 'bug' does seem to be a real thing as its even showing on the BT website as unsecured.
I suspect its the latest security measures the browsers are doing.
Demon => Freeserve => Pipex => Be => Sky => BT Infinity 2
|
|
|
Sorry to keep updating this thread. But the unsecured 'bug' does seem to be a real thing as its even showing on the BT website as unsecured.
I suspect its the latest security measures the browsers are doing.
The main BT site is secure as far as I can see, not done full tests yet, as far as I can see the main BT site is showing it as unsecure due to having HTTP content on it, so its mixed HTTPS and HTTP.
�Valid Certificate
The connection to this site is using a valid, trusted server certificate.
[View certificate]
� Secure Connection
The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).
� Mixed Content
The site includes HTTP resources.
Reload the page to record requests for HTTP resources.
That's for URL: https://home.bt.com/
Paul
BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
|
|
|
Just a heads up, BT have now resolved the security issue on their DSL Checker Site.
Not really sure when this actually happened, I just noticed it today.
It now gets an A- Rating which is good.
Paul
|