General Discussion
  >> Fibre Broadband


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | >> (show all)   Print Thread
Standard User adslmax
(knowledge is power) Mon 20-Feb-17 00:04:51
Print Post

DSL Checker not secure?


[link to this post]
 
Very odd as firefox, google, internet explorer told me to get out of this site, not connected to secure!

https://s16.postimg.org/hpzpb6erp/dslchecker.jpg
Standard User PaulKirby
(knowledge is power) Mon 20-Feb-17 07:50:03
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
Well I am only getting it on Chrome, IE and Edge are fine.

Chrome says the following:
Obsolete Connection Settings
The connection to this site uses an obsolete protocol (TLS 1.0), a strong key exchange (ECDHE_RSA with P-256), and an obsolete cipher (AES_128_CBC with HMAC-SHA1).

So they need to recreate their Certs.

Tell a lie, Edge are flagging it just not showing a notifications apart from within the development tools.
SEC7132: The certificate protecting this website uses weak cryptography (SHA1). The website should replace this certificate with an SHA2 certificate before SHA1 is no longer allowed.

So yeah tongue

It seems noting has changed on the site Certificate wise, just that the browsers are now starting to moan about old versions of encryptions.

As far as I can see the cert was last updated on 14th April 2014 00:00:00 and will expire on 12th June 2017 23:59:59.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User hypertony
(experienced) Mon 20-Feb-17 08:25:14
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
I mentioned it to BTCare Twitter on the other day - they say "it works fine" and nothing more. Think they don't fully understand...

- Tony Sutton
- Check out my Ford Focus ST170 site | View my Car's Dashcam Videos


Register (or login) on our website and you will not see this ad.

Standard User RobertoS
(elder) Mon 20-Feb-17 08:25:43
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
Probably this is the reason. It's asking for phone number and/or address.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6

Edited by RobertoS (Mon 20-Feb-17 08:26:35)

Standard User Chrysalis
(legend) Mon 20-Feb-17 08:49:13
Print Post

Re: DSL Checker not secure?


[re: hypertony] [link to this post]
 
just wait till it gets blocked, suddenly it will get fixed overnight, its how these large companies work, security is always deemed as "unneeded expense and manpower".

Sky Fibre Pro BQM - IPv4 BQM - IPv6
Standard User ukhardy07
(knowledge is power) Mon 20-Feb-17 10:13:46
Print Post

Re: DSL Checker not secure?


[re: Chrysalis] [link to this post]
 
BT have a full internal pentest team and generally spend a fair bit. I'm surprised it hasn't been dealt with already.
Standard User deleted
(deleted) Mon 20-Feb-17 11:43:31
Print Post

Re: DSL Checker not secure?


[re: Chrysalis] [link to this post]
 
Large companies are made up of lots of individual people. The ones who set, or change security policy are a long way from the people who renew certificates.

This is more likely on the Gantt chart of some individual project manager, for some individual support engineer to work on, based on the expiry date.

It will change from unimportant to vital overnight, when the appropriate day rolls on.

If browsers start to block users early, then that job will be bumped up, so I agree with that. A smart support engineer will then trigger other certificates to be checked, but that probably depends on the experience level of the individual who gets allocated the job when it turns up.
Standard User Chrysalis
(legend) Mon 20-Feb-17 13:35:15
Print Post

Re: DSL Checker not secure?


[re: ukhardy07] [link to this post]
 
they not doing a great job then as I have come across various issues on BT hosted sites over the years, issues that should be extremely basic to pick up by any experienced security bod.

Sky Fibre Pro BQM - IPv4 BQM - IPv6
Standard User Chrysalis
(legend) Mon 20-Feb-17 13:36:52
Print Post

Re: DSL Checker not secure?


[re: deleted] [link to this post]
 
an example is tesco, sometime a year or two ago, I couldnt access a page which prevented me doing an order, when I rang up the guy said tesco were aware already a few months back of the problem but they were not aware chrome started blocking their website, of course once they was aware of the latter it got fixed pretty quickly before it started affecting the bottom line.

Sky Fibre Pro BQM - IPv4 BQM - IPv6
Standard User PaulKirby
(knowledge is power) Mon 20-Feb-17 18:18:59
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Probably this is the reason. It's asking for phone number and/or address.

Its not that.
Their HTTPS Certificate is using TLS 1.0 which is old and not as secure as 1.1 and 1.2.
Edge reported it as not secure due to using TLS 1.0, the page was encrypted but not secure as it could be.

Basically its not the RSA Certificate its how they have setup the SSL side of their server.

Let me run some tests to do with how secure their site is and I will get back.

*** update ***
I just run some Security Checks on the dsl checker and it fails the tests.

They even have SSL3 which has exploits and should never be used.
They get a rating of F where as it should have a rating of A or A+

This is a rating of one of my sites, as you will see its rated A+

I will email one of the people I have spoken to at BT Wholesale.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Mon 20-Feb-17 18:28:03)

Standard User adslmax
(knowledge is power) Mon 20-Feb-17 18:29:54
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
I have inform BT about this. They say it all working fine, all fixed. But I don't think they never understand the dslchecker still not secure on firefox and google chrome.

Internet Explorer are working fine.
Standard User PaulKirby
(knowledge is power) Mon 20-Feb-17 19:25:43
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
In reply to a post by adslmax:
I have inform BT about this. They say it all working fine, all fixed. But I don't think they never understand the dslchecker still not secure on firefox and google chrome.

Internet Explorer are working fine.

Yes IE and Edge do work fine, but if you open up the developer tools and check the console messages you will see the warning.

SEC7132: The certificate protecting this website uses weak cryptography (SHA1). The website should replace this certificate with an SHA2 certificate before SHA1 is no longer allowed.
www.dslchecker.bt.com

I have sent a very detailed email of the issue and what exploits they webservers are vulnerable to that could gain the attacker access to the server in question itself and then access to all the database servers that server has access to.

I have also told them they can contact me for more information if needed and also if this security blunder isn't resolved within a reasonable time I will be contacting the Chairman's office due to our private information like address and phone number, mu phone number is ex-directory and a hacker would have access to both information breaking the privacy act.

The sad thing is they have no clue what they are doing, they webserver is vulnerable to the SSL3 POODLE Exploit, if you are unaware of that exploit do a google search.

I am about to sent BT a tweet with an image of the vulnerable areas, maybe this approach will get it resolved.

*** update ***
Tweets sent.

Also its only the DSL Checker that is insecure with all the exploits, the main BT Site (i.e. https://home.bt.com) has a rating of A, its not perfect but its secure.

Lets now see what becomes of it tongue
I bet I get told to remove my Tweets due to it exposes what its vulnerable to.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Mon 20-Feb-17 20:09:56)

Standard User adslmax
(knowledge is power) Mon 20-Feb-17 22:18:14
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
I post this to PN forum as someone deleted my post by PN staff. Disgusted because PN are the isp can report this to BTWholesale of dslchecker not secure.

I was surprise no one from many isp's can see this and doesn't want to get involved.

Edited by adslmax (Mon 20-Feb-17 22:20:18)

Standard User PaulKirby
(knowledge is power) Mon 20-Feb-17 23:28:53
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
In reply to a post by adslmax:
I post this to PN forum as someone deleted my post by PN staff. Disgusted because PN are the isp can report this to BTWholesale of dslchecker not secure.

I was surprise no one from many isp's can see this and doesn't want to get involved.


Well that doesn't sound good frown

Well I am going to give BT 7 to 10 days to respond to my Email and Tweets and if nothing is heard I will be forwarding this to the chairman's office because the dsl checker is part of BT's network and should be responsible for keeping it secure like they do with their main site.

All it would take them to resolve the issues is about 20 mins if that.

One of the sites that I run which I including in one of the links use to be rated D to F when I was unaware of all the issues and after 20 to 30 mins of me not being a Linux Guy I now have it rated at A and A+.

So surely they tech people responsible to maintain those servers would have the knowledge to keep it up to date.

They are not even using the latest protocols and the ones they do have exploits or on their way out like TLS1.0

Maybe the tech people in question are the same support people that BT were currently using which are located overseas LOL

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User Chrysalis
(legend) Tue 21-Feb-17 06:05:22
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
The certificate problem is the sha1 hash.

The ciphers used are independent of the certificate and is how their web server is configured.

There is more problems tho.

The ssl libraries have not been patched for over a year, so its vulnerable to things like POODLE, no forward secrecy support in mainstream browsers, no TLS 1.2 support, its preferred cipher is 3DES which was favoured in windows XP and IE6 days. As I said before typical of a large company, the server itself has probably been untouched for several years. It also still has sslv3 enabled.

Sky Fibre Pro BQM - IPv4 BQM - IPv6

Edited by Chrysalis (Tue 21-Feb-17 06:06:27)

Standard User PaulKirby
(knowledge is power) Tue 21-Feb-17 19:50:23
Print Post

Re: DSL Checker not secure?


[re: Chrysalis] [link to this post]
 
In reply to a post by Chrysalis:
The certificate problem is the sha1 hash.

The ciphers used are independent of the certificate and is how their web server is configured.

There is more problems tho.

The ssl libraries have not been patched for over a year, so its vulnerable to things like POODLE, no forward secrecy support in mainstream browsers, no TLS 1.2 support, its preferred cipher is 3DES which was favoured in windows XP and IE6 days. As I said before typical of a large company, the server itself has probably been untouched for several years. It also still has sslv3 enabled.

Wasn't that was I already said in my posts, but yeah, I agree with them not touching their server for a long time.

OpenSSL has been patched many times over the last several years, theirs hasn't, the security status of SSL3 was posted many years ago and was advised to disable it and use TLS and newer versions of TLS like version TLSv1.2 and soon to be TLSv1.3, TLSv1.0 is on its way out due to some security issues.

The SHA1 (128 bit) has is insecure due to all hashes are known just like MD5 so that's why its throwing an issue with SHA1.

Well I have still yet to hear anything from my Email and any of my Tweets sent to various BT sections, even with physical evidence handed to them there has been no response as yet.

Also I think they are holding off until June because the Cert expires on Mon, 12 Jun 2017 23:59:59 UTC (expires in 3 months and 22 days) its still not right and they should still resolve the rest of the issue now.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Tue 21-Feb-17 19:53:13)

Standard User RobertoS
(elder) Tue 21-Feb-17 19:52:04
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
I hope you sent them from a mobile data link, not your FTTP connection ....


[chuckle] LOL

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User PaulKirby
(knowledge is power) Tue 21-Feb-17 19:56:20
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
I hope you sent them from a mobile data link, not your FTTP connection ....


[chuckle] LOL

LOL, you know what, my Sister said the exact same when I told her last night.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User RobertoS
(elder) Tue 21-Feb-17 20:46:31
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Yes, she and I agree on quite a lot.
.
.
.
.
.
.
.
.
.
wink

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User adslmax
(knowledge is power) Tue 21-Feb-17 21:40:39
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
MrSaffron should take this action against BT. But, I think he wouldn't bothered.
Standard User PaulKirby
(knowledge is power) Tue 21-Feb-17 22:12:31
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Yes, she and I agree on quite a lot.
.
.
.
.
.
.
.
.
.
wink

LOL

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Tue 21-Feb-17 22:14:22
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
In reply to a post by adslmax:
MrSaffron should take this action against BT. But, I think he wouldn't bothered.

Well I am giving them until the weekend and if nothing has happened by then I will be notifying the Chairman's Office.

Hopefully they will get it sorted.

It just makes me laugh really, BT post loads of tweets about security and scam emails an phone calls and one of their own servers have a security hole.

Now what is scary is suppose a hacker managed to gain access to said server due to all the security holes.

Now there is nothing stopping that said hacker from gaining access to the database which may or may not have all our information like address, phone number account information including our email address used on our BT account.

Now suppose they have said above information, there is nothing stopping them from sending us scam emails, these emails would seem legit due to they originating from one of BT's Mail Servers.

So this really needs to be resolved and the security whole closed before any of this could happen.

Maybe I am paranoid, but if BT are that sloppy in keeping that server up to date and secure, who knows what lack of security internally.

This can and does end up in mail servers being black listed.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Tue 21-Feb-17 22:52:16)

Standard User Chrysalis
(legend) Wed 22-Feb-17 06:50:44
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
yes I meant the libraries on their server.

When the cert expires the new one will be sha256, as sha1 certs are no longer allowed to be issued.

Sky Fibre Pro BQM - IPv4 BQM - IPv6

Edited by Chrysalis (Wed 22-Feb-17 06:52:26)

Standard User PaulKirby
(knowledge is power) Wed 22-Feb-17 07:14:03
Print Post

Re: DSL Checker not secure?


[re: Chrysalis] [link to this post]
 
In reply to a post by Chrysalis:
yes I meant the libraries on their server.

Ah, ok.

In reply to a post by Chrysalis:
When the cert expires the new one will be sha256, as sha1 certs are no longer allowed to be issued.

Well it depends on where you get your certs from, I can as far as I know still request verified certificate with a signature hash algorithm of sha1, not that I would do that.

I know I made a mistake about a year ago when I typed in sha1 instead of sha256 and they issued them fine, I then started playing with other flags like key sizes to see how high I could get it before they moaned, got bored at 32768 Bit keys, plus I didn't want to annoy the issuer tongue

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Wed 22-Feb-17 09:18:32
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
Well I received the following tweet reply from BTCare:
Hi Paul, thanks for that. I'll pass this info on up the chain ^Ronan

I bet it doesn't go any further.

An update...
After a chat via DM (Private Chat)
Thanks for that Paul,

I've passed that onto BT security to investigate.

We appreciate the heads up

Ronan

One thing I did notice just now is that they have disabled SSL3, so that's a small part resolved, so maybe they are working on it.

So now they just need to do all the security updates on the server, update the security suit to use TLS 1.2 as default and fall back to TLS 1.1.

Then just renew the certificate with a signature hash of SHA256 or better and it should be done smile

Oh and top of that I now have another follower tongue

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Wed 22-Feb-17 09:42:03)

Standard User adslmax
(knowledge is power) Wed 22-Feb-17 18:33:29
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
still the same.

Your connection is not secure

The owner of www.dslchecker.bt.com has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

Learn more�

Report errors like this to help Mozilla identify and block malicious sites
Standard User PaulKirby
(knowledge is power) Wed 22-Feb-17 23:33:19
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
In reply to a post by adslmax:
still the same.

Your connection is not secure

The owner of www.dslchecker.bt.com has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

Learn more�

Report errors like this to help Mozilla identify and block malicious sites

Yep, well this might take time due to it being pass onto the security team.

The sad and worrying thing is if the security team passes it onto the numbnuts that is responsible for looking after that said server who thinks the server is secure.

That's fine, they still have a few days yet before I send that email.

Ok, I have just set another private tweet to BT asking if there was any response from their security team and that if it doesn't get resolved by the 27th (this Monday) I will be notifying the chairman's office and let his office deal with the issue.

I normally get a phone call when dealing with his office and it would be much easier to explain on the phone.

But I have a feeling that it still won't be resolved.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Wed 22-Feb-17 23:35:58
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
I hope you sent them from a mobile data link, not your FTTP connection ....


[chuckle] LOL


I just realised even if I did use my mobile data, BT would still know its me because I am with T-Mobile, which is owned by EE and guess who owns EE, yep you guessed it BT.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User Oliver341
(eat-sleep-adslguide) Thu 23-Feb-17 11:50:24
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Well aside from BT changing the TLS certificate to one that's more secure, it's also very poor that the http version of the checker does not automatically 301 redirect to the https version.

Oliver.
Standard User PaulKirby
(knowledge is power) Thu 23-Feb-17 12:20:39
Print Post

Re: DSL Checker not secure?


[re: Oliver341] [link to this post]
 
In reply to a post by Oliver341:
Well aside from BT changing the TLS certificate to one that's more secure, it's also very poor that the http version of the checker does not automatically 301 redirect to the https version.

The redirect would be set in the equivalent to Virtual Host if they were using Apache, however its Oracle which is based off Apache.
Or they could use .htaccess to auto redirect I have used both on my sites before.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User adslmax
(knowledge is power) Tue 28-Feb-17 18:06:24
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Any latest on this please?

Still the same on firefox, google chrome not secure! It's seem BT haven't fixed it.
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 04:05:44
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
In reply to a post by adslmax:
Any latest on this please?

Still the same on firefox, google chrome not secure! It's seem BT haven't fixed it.

IE and Edge also says its not secure in their console via the development tools section.

As for anything being done yet.

Nope, no change, I know I was at one point in contact with BT over this.

BT have also told me notifying the Chairman's Office wouldn't solve anything due to it would get forwarded to the same Security Team.

So they now have until the 6th to resolve the issue or I will send those emails.

Maybe they are commissioning a new server and we all know how long BT takes to commission stuff don't we tongue

As to the state of that actual server, we already know that it hasn't had any security updates for at least several years, so the OS its using is also probably out of date too and where some of the security updates can and do require an up to date version of the OS.

So what started as just a security update now requires a full OS upgrade, might just be better to install a new server install all the required software etc and once completed just swap them over, and job done.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User ian72
(eat-sleep-adslguide) Wed 01-Mar-17 07:55:46
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Perhaps it isn't a big issue from their perspective. Maybe it doesn't matter to them that it is insecure. Not knowing how they have it setup it may be a standalone server with no actual sensitive data on it and it could be sitting in it's own firewalled DMZ with NAC/NAP protecting the network. If they install it that way then whilst someone could compromise that server they wouldn't be able to do anything particularly significant.

Now, chances are it isn't like that and there are probably other servers in that DMZ and it may have a connection back to a database in the core network - but you cannot assume that is definitely the case.

Also, they may have a large number of IT projects in train and may have to prioritise which ones they are working on - therefore depending on the level of risk this may just not be top of the list.
Standard User RobertoS
(elder) Wed 01-Mar-17 10:16:35
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Or just withdraw it from public availability.

For which none if us would thank the complainers. All the site sees from me is my IP address, just like any other. Incidentally I'm getting no objection from IE 11 on Windows 10 on two machines, one with Kaspersky and one with Norton, or Safari on an iPad.

It appears that CPs may be able to get further information via an account-related entry point. Those CPs one would expect to be entering on a more secure login.
...
BT Wholesale login is indeed https.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6

Edited by RobertoS (Wed 01-Mar-17 10:29:45)

Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 11:09:47
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Or just withdraw it from public availability.

For which none if us would thank the complainers. All the site sees from me is my IP address, just like any other. Incidentally I'm getting no objection from IE 11 on Windows 10 on two machines, one with Kaspersky and one with Norton, or Safari on an iPad.

IE and Edge on Windows 10 does moan about it, but not a on the main screen, to see the warning message you need to go into the "F12 Developer Tools" section and then the "Console Tab" then refresh the page an you will see it pop up on the console window.

So Edge and IE are having the insecure issue as Chrome and Firefox, the only difference is that IE and Edge don't stop your browser.

In reply to a post by RobertoS:
It appears that CPs may be able to get further information via an account-related entry point. Those CPs one would expect to be entering on a more secure login.
...
BT Wholesale login is indeed https.

If they are accessing the same server then their login will be as insecure as everyone else's.
But I am sure they use a different sub domain for them to login, which might be a different server and use a different CERT.

But we are talking about BT here.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User RobertoS
(elder) Wed 01-Mar-17 11:29:36
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
https://www.btwholesale.com/portalzone/login/forceLoadLogin.do
http://www.dslchecker.bt.com/adsl/adslchecker.welcome

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User deleted
(deleted) Wed 01-Mar-17 11:35:18
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Or just withdraw it from public availability.


Hope not. Max would get withdrawal.
Standard User RobertoS
(elder) Wed 01-Mar-17 11:42:24
Print Post

Re: DSL Checker not secure?


[re: deleted] [link to this post]
 
It's a distinct possibility I'm afraid. Ten minutes work.

I'm quite worried by people on this forum pursuing the (non-)issue.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 11:52:05
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
https://www.btwholesale.com/portalzone/login/forceLoadLogin.do
http://www.dslchecker.bt.com/adsl/adslchecker.welcome

Yeah, the wholesale site is using a good CERT, shown below:

[Connection]
Protocol: TLS 1.2
Key Exchange: ECDHE_RSA
Key Exchange Group: P-256
Cipher: AES_128_GCM

Signature hash algorithm: sha256 <-- This was the main issue on the dslchecker site where it was SHA1.
Public Key: RSA (2048 Bits)

So all good there.

The security of the server is rated as B because of the following:
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.   MORE INFO »
This server accepts RC4 cipher, but only with older browsers. Grade capped to B.  MORE INFO »

RC4 on that server needs resolving, Cipher Suites needs tweaking along with some minor stuff, but apart from that the server isn't that bad.

So if they resolved the RC4 issue and the minor tweaks that server would be rated A.

Now would I use that server, I probably would, but I would disable all the non secure Cipher client side (if I haven't already) that would force them to use another one you and the server have available.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 11:52:38
Print Post

Re: DSL Checker not secure?


[re: deleted] [link to this post]
 
In reply to a post by Ignitionnet:
In reply to a post by RobertoS:
Or just withdraw it from public availability.


Hope not. Max would get withdrawal.

LOL

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 12:03:28
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
It's a distinct possibility I'm afraid. Ten minutes work.

It could take just over that to resolve the issue.

In reply to a post by RobertoS:
I'm quite worried by people on this forum pursuing the (non-)issue.

I wouldn't say its a non issue, it has security issue on the actual server, and its using an insecure certificate which needs to be fixed, maybe its my OCD kicking in again.

The CERT expires in June so the CERT issue will be resolved then, I am guessing the server "might" be done then.

TBH I haven't really used that site for a few months now, so if they didn't fix the ISSUES on that server its no Biggy, the information on there wasn't that correct anyway.

If I really wanted to get the average fibre speed for a line I would just use the Where and when page.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Wed 01-Mar-17 12:04:02)

Standard User ian72
(eat-sleep-adslguide) Wed 01-Mar-17 13:30:55
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
The other thing to consider is that the server has used that cert and those settings probably for a long time. If it wasn't hit before now what makes it suddenly a target - just because now Google/etc tell people it isn't secure doesn't make it any less secure than it was 6 months ago.
Standard User deleted
(deleted) Wed 01-Mar-17 13:49:07
Print Post

Re: DSL Checker not secure?


[re: ian72] [link to this post]
 
Considering the collision exploit that set this whole thing off has only just been carried out in practise at a cost of $7.4m I'd tend to agree with you...

http://www.networkworld.com/article/3173701/security...
Standard User ian72
(eat-sleep-adslguide) Wed 01-Mar-17 14:11:44
Print Post

Re: DSL Checker not secure?


[re: deleted] [link to this post]
 
So it is possible but difficult.

Also, the next question I would pose - if it was not HTTPS at all then would it matter? If the pages were published with no encryption what would anyone watching the traffic find out - I'm thinking not a lot. They could remove the certificate and publish as HTTP and still not be giving away any particularly sensitive data.
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 14:16:24
Print Post

Re: DSL Checker not secure?


[re: ian72] [link to this post]
 
All major browser are saying this, not just Chrome.

The issue is where the hashing that their CERT uses (i.e. SHA1) and also that TLS 1.0 is old about to be obsolete and has known security issues.

But yeah its possibly been like that for a while now, its just that our browsers have been updated to notify the users that its not secure and why, which is true and possibly future browser updates will no longer use the obsolete SHA1 hashing and TLS 1.0.
And when that happens nobody will be able to access that site.

Well unless they use the HTTP version or ignore the popup notice.

But my guesses is that it will be resolved in Jun when they renew their CERT which will have SHA256 or better for their hashing.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 14:32:24
Print Post

Re: DSL Checker not secure?


[re: ian72] [link to this post]
 
In reply to a post by ian72:
So it is possible but difficult.

Also, the next question I would pose - if it was not HTTPS at all then would it matter? If the pages were published with no encryption what would anyone watching the traffic find out - I'm thinking not a lot. They could remove the certificate and publish as HTTP and still not be giving away any particularly sensitive data.

This is true, however any personal information is sensitive data in a way, not as sensitive as credit card information or passwords etc.

TBH I consider my Phone Number and Address sensitive information due to we are ex-directory.

So no I wouldn't use a site that doesn't use a secure site if I am submitting private information.

But saying that, these forums if I recall uses HTTP when you login, but in this case I am using non secure information.

But we will see what happens in June to see whether they renew the CERT or not.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Wed 01-Mar-17 14:35:14)

Standard User ian72
(eat-sleep-adslguide) Wed 01-Mar-17 14:44:30
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
All major browser are saying this, not just Chrome.


Hence my OP says "Google/etc". The etc was covering the others.
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 15:12:11
Print Post

Re: DSL Checker not secure?


[re: ian72] [link to this post]
 
In reply to a post by ian72:
All major browser are saying this, not just Chrome.


Hence my OP says "Google/etc". The etc was covering the others.

Ah, ok.
But you are right about it not making it less secure than it was six months ago, its been insecure for many years going by the missing security patches, it was just that we was unaware of it.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User deleted
(deleted) Wed 01-Mar-17 15:27:22
Print Post

Re: DSL Checker not secure?


[re: deleted] [link to this post]
 
In reply to a post by huwwatkins:
Considering the collision exploit that set this whole thing off has only just been carried out in practise at a cost of $7.4m I'd tend to agree with you...


How we got here:

We have known for more than 10 years that SHA-1 is weaker than intended. The result of this weakness is that eventually, using the same approach as in Google's Proof Of Concept this week, bad guys would be able to make two documents which SHA-1 treated as the same, if the documents were SSL certificates instead of PDF files, this would enable bad guys to present one certificate to be signed, but then actually use the signature on a different certificate. Like if you got some fool to sign a blank cheque.

This really happened for SHA-1's predecessor, MD5, academic researchers got themselves a bogus certificate this way in 2008, and James Bond types seem to have done it again in the "Flame" malware program which has a fake Microsoft certificate. Both were MD5 which we knew should have been phased out but it wasn't for ages.

By 2014 it was apparent that this would happen soon for SHA-1 too. Certificate Authorities agreed to stop issuing all SHA-1 certificates before 2016, and Browser vendors agreed to stop accepting these certificates in 2017.

The idea was that if you can't get a new certificate, you can't use the attack (you can't use this attack on an existing certificate, it's just a way to trick people when issuing a new one), and if browsers stop trusting the certificates, there will be no incentive to break the rules and issue one anyway. During 2016 we had a few dozen incidents where we caught CAs issuing old SHA-1 certificates "by mistake" and some got in lots of hot water for it, but overall things went pretty well.

So, the DSL checker site isn't "more vulnerable" per se as a result of this old SHA-1 certificate, but we had to mark it as untrusted or else the whole web is effectively left vulnerable. It's like the way Australia was really angry about Johnny Depp's dogs. _Those_ dogs were probably fine on their own, but Australia needs strict rules to protect the weird Australian native wildlife, so it can't just let people disobey the rules like it's no big deal.

BT will have been told, repeatedly, by their vendors to fix this, most certificate vendors offered free re-issues to anyone who might be affected. But I guess no-one at BT cared.
Standard User deleted
(deleted) Wed 01-Mar-17 15:36:32
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
In reply to a post by PaulKirby:
Well it depends on where you get your certs from, I can as far as I know still request verified certificate with a signature hash algorithm of sha1, not that I would do that.

I know I made a mistake about a year ago when I typed in sha1 instead of sha256 and they issued them fine, I then started playing with other flags like key sizes to see how high I could get it before they moaned, got bored at 32768 Bit keys, plus I didn't want to annoy the issuer tongue


If your certificates come from a public CA (ie they'd be trusted in somebody's web browser) then lots of people would be very interested in seeing a SSL/TLS certificate issued "a year ago" (or today) using SHA1 because this would be a violation of root programme policy and of the Baseline Requirements.

Of course if "a year ago" actually means "It might have been 2015", or if your issuer is only trusted in some poxy local system, like at a bank or somewhere else that doesn't take security as seriously as the Web does then never mind.
Standard User RobertoS
(elder) Wed 01-Mar-17 15:57:23
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
In reply to a post by PaulKirby:
So Edge and IE are having the insecure issue as Chrome and Firefox, the only difference is that IE and Edge don't stop your browser.
I just went in using Chrome with no problem.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 16:32:31
Print Post

Re: DSL Checker not secure?


[re: deleted] [link to this post]
 
In reply to a post by tialaramex:
In reply to a post by PaulKirby:
Well it depends on where you get your certs from, I can as far as I know still request verified certificate with a signature hash algorithm of sha1, not that I would do that.

I know I made a mistake about a year ago when I typed in sha1 instead of sha256 and they issued them fine, I then started playing with other flags like key sizes to see how high I could get it before they moaned, got bored at 32768 Bit keys, plus I didn't want to annoy the issuer tongue


If your certificates come from a public CA (ie they'd be trusted in somebody's web browser) then lots of people would be very interested in seeing a SSL/TLS certificate issued "a year ago" (or today) using SHA1 because this would be a violation of root programme policy and of the Baseline Requirements.

Of course if "a year ago" actually means "It might have been 2015", or if your issuer is only trusted in some poxy local system, like at a bank or somewhere else that doesn't take security as seriously as the Web does then never mind.

Well mine are from a Verified CA, but also remember being able to select SHA1 hash signing when I was requesting the first CERT, lucky I was able to change it.

I just checked the command line args and its no longer has the hash signing args there, the rsa key size args are still there which it should be.

So maybe they realised they hadn't updated it and now its changed.

The issuer of my CERTS are Authority X3 level and its issuer is listed as CA X3.

It was either end of 2015 or start / mid 2016 that I got my first CERT.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 16:36:30
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
In reply to a post by PaulKirby:
So Edge and IE are having the insecure issue as Chrome and Firefox, the only difference is that IE and Edge don't stop your browser.
I just went in using Chrome with no problem.

Well mine stopped me with a popup saying this site isn't secure and gave you an opting to ignore the warning and enter the site.

I told it to ignore the warning and also ticked the box and it now lets me in every time but still says in the URL bar "Not secure" in red text.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User RobertoS
(elder) Wed 01-Mar-17 17:35:48
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Nothing like that. Zilch.

Version 56.0.2924.87
Google Chrome is up to date

Edit: Ah - wait ...
Edit 2: The contents of the URL bar start with a small circle containing the letter "i". Pure black and white. Nothing to raise alarm.

Clicking it gives a low-key warning that the site isn't secure, with a "Learn more" button.

That button merely says the link is not secure, saying the URL starts with http. It then recommends to try altering it to https, and if that doesn't work to contact the site owners and request them to secure the link.

Nothing about the greater security and certificate issues that are being discussed in the thread.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6

Edited by RobertoS (Wed 01-Mar-17 17:52:49)

Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 18:19:05
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
Your viewing the non secure version of the dsl checker.

Now try: https://www.dslchecker.bt.com/ which is what we are on about.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User RobertoS
(elder) Wed 01-Mar-17 18:41:46
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Are you sure that's what the OP was on about? I shall reply to him asking smile.

Edit: But yes, now I see. In Chrome but not IE11.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6

Edited by RobertoS (Wed 01-Mar-17 18:50:03)

Standard User RobertoS
(elder) Wed 01-Mar-17 18:45:17
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
In reply to a post by adslmax:
Very odd as firefox, google, internet explorer told me to get out of this site, not connected to secure!

https://s16.postimg.org/hpzpb6erp/dslchecker.jpg
Were you using

http://www.dslchecker.bt.com/adsl/adslchecker.welcome
or
https://www.dslchecker.bt.com/adsl/adslchecker.welcome

?

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User adslmax
(knowledge is power) Wed 01-Mar-17 21:33:07
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
https://www.dslchecker.bt.com

also type in google site 'dsl checkers' and it come out at the top with https://www.dslchecker.bt.com

But now I am using this one instead: http://www.dslchecker.bt.com and it all working ok.

How to change google search to force to use this address instead: http://www.dslchecker.bt.com for future search?

Edited by adslmax (Wed 01-Mar-17 21:37:48)

Standard User RobertoS
(elder) Wed 01-Mar-17 22:15:26
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
Don't use google search. Simply favourite/bookmark the one that works.

Alternatively, come back to this post and click this link.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User adslmax
(knowledge is power) Wed 01-Mar-17 22:22:01
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
good idea, thanks robertos wink
Standard User Chrysalis
(legend) Wed 01-Mar-17 22:32:11
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
On another subject I think the way chrome is programmed to handle the issue is quite bad now.

It displays a vague "not secure" message when in the past it would actually tell you whats wrong e.g. a weak cipher, as well as the cipher in use. Yet it doesnt blurt on about plain http been "not secure". So in that respect its misleading.

For one to actually get the information required from chrome now you have to open the developer tools which is pretty ridiculous just to see the cipher details and certificate.

Sky Fibre Pro BQM - IPv4 BQM - IPv6
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 23:05:53
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Don't use google search. Simply favourite/bookmark the one that works.

Alternatively, come back to this post and click this link.

Don't take this the wrong way of anything.

Maybe its just the inner Software / Hardware Developer in me talking here or maybe my OCD, but that still doesn't resolve the fact that the SSL side of that site is insecure and that the server has loads of bad security holes in it that really need to be fixed.

And burying your head in the sand by using the non SSL version (i.e. HTTP) of the checker isn't resolving anything apart from stopping the "Not secure" from being displayed.

The SSL side of that site was so that we can enter our information in securely without the man in the middle peeking at our information.

Anyway that's my rant over on this subject.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Wed 01-Mar-17 23:06:58
Print Post

Re: DSL Checker not secure?


[re: Chrysalis] [link to this post]
 
TBH I have never liked Chrome, but due to what I do I have to cater for it frown

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User RobertoS
(elder) Wed 01-Mar-17 23:20:14
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Not a problem Paul.

My concern is not for the BT Wholesale server as a whole, but simply for the continuing availability of this facility to the public.

It is hugely important to the central purposes of this site that it continues.

By hammering BT in the way that has been suggested in this thread, including the possibility of attacking the server and bringing it down, the danger of the facility being simply withdrawn becomes extremely high.

I wish everyone would simply desist. I'm sure the messages to BT that posters here have sent will have been noted. As has been posted a few times, when the certificate is renewed in the near future the issue should be resolved.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User deleted
(deleted) Thu 02-Mar-17 02:21:10
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
In reply to a post by PaulKirby:
I just checked the command line args and its no longer has the hash signing args there, the rsa key size args are still there which it should be.

So maybe they realised they hadn't updated it and now its changed.

The issuer of my CERTS are Authority X3 level and its issuer is listed as CA X3.

It was either end of 2015 or start / mid 2016 that I got my first CERT.


Let's Encrypt, the issuer you're talking about, literally hasn't ever offered SHA1 certificates. So, your memory is playing tricks on you. But thanks for checking.
Standard User PaulKirby
(knowledge is power) Thu 02-Mar-17 07:23:33
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
when the certificate is renewed in the near future the issue should be resolved.

Well that would be a huge part resolved, but the server would still need to have all the security patches installed to close up all the holes and some tweaks to the Protocols used (disable SSL3, Enable TLS1.1, TLS1.2) and tweak the Cipher Suits to the changed Protocols and that's it.

If BT don't at least do the tweaks the secure side of things would just stop working due to TLS1.0 is just for testing stuff now days and is due to be retired and the server should really be using TLS1.2 first, then fall back to TLS1.1 and then just return back that it has failed to pick a protocol.

BTW all these tweaks only require editing a config file and that's it, plugging the holes would require stuff being installed, but if the tweaks are done it might remove the need to do most of the patches due to the software with the holes are disabled.

But at least the info we send would be securely encrypted.

As for the site to continue, I also wish this, that's why I have only contacted BT the once via twitter.
I was hoping that would of gotten the ball rolling, maybe it has but they have other stuff to do first and where the CERT is due for renewal they might of decided to do it all then.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Thu 02-Mar-17 07:28:07
Print Post

Re: DSL Checker not secure?


[re: deleted] [link to this post]
 
In reply to a post by tialaramex:
Let's Encrypt, the issuer you're talking about, literally hasn't ever offered SHA1 certificates. So, your memory is playing tricks on you. But thanks for checking.

Yeah, its possible, I did try loads of CA's over the years before ending up with Let's Encrypt.

So I might of seen somewhere SHA1 being used by one of the others along with their huge prices.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User bowdon
(committed) Sat 11-Mar-17 15:09:39
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
I knew I remembered this thread. Glad I found it again..

I was just going to run a dsl number check and got the same issue as you guys. Insecure Connection warning. It's on FF, Chrome and Opera.

This thread as been going for a few weeks and still no change. A tech company that BT/OR is supposed to be, they really need to be leading the industry, not lagging behind.. smh

Demon => Freeserve => Pipex => Be => Sky => BT Infinity 2
Standard User deleted
(deleted) Sat 11-Mar-17 15:21:33
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
I think people are using a link that they aren't supposed to be using:

All requests for the HTML version of the availability checker should be made to:
http://www.dslchecker.bt.com/adsl/adslchecker.welcome
Standard User bowdon
(committed) Sat 11-Mar-17 17:00:48
Print Post

Re: DSL Checker not secure?


[re: deleted] [link to this post]
 
That worked! smile

I entered in to google bt dsl checker and the address https://www.dslchecker.bt.com/ comes up. I guess thats a site root page or something.

Demon => Freeserve => Pipex => Be => Sky => BT Infinity 2
Standard User RobertoS
(elder) Sat 11-Mar-17 21:35:40
Print Post

Re: DSL Checker not secure?


[re: bowdon] [link to this post]
 
LOL

That's the one that has been in my "Useful links" list since 2009.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65702/13958Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User bowdon
(committed) Sat 11-Mar-17 21:39:04
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
I need to bookmark it lol.

Hmm.. I updated FF and now on the login page of this site its saying its not secure.. I signed in anyways.

Demon => Freeserve => Pipex => Be => Sky => BT Infinity 2
Standard User RobertoS
(elder) Sat 11-Mar-17 21:48:11
Print Post

Re: DSL Checker not secure?


[re: bowdon] [link to this post]
 
In reply to a post by bowdon:
I need to bookmark it lol.

Hmm.. I updated FF and now on the login page of this site its saying its not secure.. I signed in anyways.
Easier to bookmark the link smile. That was the reason I set up the site in the first place, for my own use. And back then always typing nearly the same thing several times a day to explain things to people. So the information pages saved me a lot of work.

The site has badly needed updating for a while frown. (So have I [sad]).

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65702/13958Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User bowdon
(committed) Sun 19-Mar-17 14:23:13
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
Sorry to keep updating this thread. But the unsecured 'bug' does seem to be a real thing as its even showing on the BT website as unsecured.

I suspect its the latest security measures the browsers are doing.

Demon => Freeserve => Pipex => Be => Sky => BT Infinity 2
Standard User PaulKirby
(knowledge is power) Sun 19-Mar-17 15:15:53
Print Post

Re: DSL Checker not secure?


[re: bowdon] [link to this post]
 
In reply to a post by bowdon:
Sorry to keep updating this thread. But the unsecured 'bug' does seem to be a real thing as its even showing on the BT website as unsecured.

I suspect its the latest security measures the browsers are doing.

The main BT site is secure as far as I can see, not done full tests yet, as far as I can see the main BT site is showing it as unsecure due to having HTTP content on it, so its mixed HTTPS and HTTP.

�Valid Certificate
The connection to this site is using a valid, trusted server certificate.
[View certificate]

� Secure Connection
The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).

� Mixed Content
The site includes HTTP resources.
Reload the page to record requests for HTTP resources.

That's for URL: https://home.bt.com/

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Mon 29-May-17 19:14:44
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Just a heads up, BT have now resolved the security issue on their DSL Checker Site.

Not really sure when this actually happened, I just noticed it today.

It now gets an A- Rating which is good.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest | BQM #4 Linksys WRT 3200 ACM
Pages in this thread: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | >> (show all)   Print Thread

Jump to