General Discussion
  >> Fibre Broadband


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | [2] | 3 | 4 | 5 | 6 | 7 | 8 | (show all)   Print Thread
Standard User adslmax
(knowledge is power) Mon 20-Feb-17 18:29:54
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
I have inform BT about this. They say it all working fine, all fixed. But I don't think they never understand the dslchecker still not secure on firefox and google chrome.

Internet Explorer are working fine.
Standard User PaulKirby
(knowledge is power) Mon 20-Feb-17 19:25:43
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
In reply to a post by adslmax:
I have inform BT about this. They say it all working fine, all fixed. But I don't think they never understand the dslchecker still not secure on firefox and google chrome.

Internet Explorer are working fine.

Yes IE and Edge do work fine, but if you open up the developer tools and check the console messages you will see the warning.

SEC7132: The certificate protecting this website uses weak cryptography (SHA1). The website should replace this certificate with an SHA2 certificate before SHA1 is no longer allowed.
www.dslchecker.bt.com

I have sent a very detailed email of the issue and what exploits they webservers are vulnerable to that could gain the attacker access to the server in question itself and then access to all the database servers that server has access to.

I have also told them they can contact me for more information if needed and also if this security blunder isn't resolved within a reasonable time I will be contacting the Chairman's office due to our private information like address and phone number, mu phone number is ex-directory and a hacker would have access to both information breaking the privacy act.

The sad thing is they have no clue what they are doing, they webserver is vulnerable to the SSL3 POODLE Exploit, if you are unaware of that exploit do a google search.

I am about to sent BT a tweet with an image of the vulnerable areas, maybe this approach will get it resolved.

*** update ***
Tweets sent.

Also its only the DSL Checker that is insecure with all the exploits, the main BT Site (i.e. https://home.bt.com) has a rating of A, its not perfect but its secure.

Lets now see what becomes of it tongue
I bet I get told to remove my Tweets due to it exposes what its vulnerable to.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Mon 20-Feb-17 20:09:56)

Standard User adslmax
(knowledge is power) Mon 20-Feb-17 22:18:14
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
I post this to PN forum as someone deleted my post by PN staff. Disgusted because PN are the isp can report this to BTWholesale of dslchecker not secure.

I was surprise no one from many isp's can see this and doesn't want to get involved.

Edited by adslmax (Mon 20-Feb-17 22:20:18)


Register (or login) on our website and you will not see this ad.

Standard User PaulKirby
(knowledge is power) Mon 20-Feb-17 23:28:53
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
In reply to a post by adslmax:
I post this to PN forum as someone deleted my post by PN staff. Disgusted because PN are the isp can report this to BTWholesale of dslchecker not secure.

I was surprise no one from many isp's can see this and doesn't want to get involved.


Well that doesn't sound good frown

Well I am going to give BT 7 to 10 days to respond to my Email and Tweets and if nothing is heard I will be forwarding this to the chairman's office because the dsl checker is part of BT's network and should be responsible for keeping it secure like they do with their main site.

All it would take them to resolve the issues is about 20 mins if that.

One of the sites that I run which I including in one of the links use to be rated D to F when I was unaware of all the issues and after 20 to 30 mins of me not being a Linux Guy I now have it rated at A and A+.

So surely they tech people responsible to maintain those servers would have the knowledge to keep it up to date.

They are not even using the latest protocols and the ones they do have exploits or on their way out like TLS1.0

Maybe the tech people in question are the same support people that BT were currently using which are located overseas LOL

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User Chrysalis
(legend) Tue 21-Feb-17 06:05:22
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
The certificate problem is the sha1 hash.

The ciphers used are independent of the certificate and is how their web server is configured.

There is more problems tho.

The ssl libraries have not been patched for over a year, so its vulnerable to things like POODLE, no forward secrecy support in mainstream browsers, no TLS 1.2 support, its preferred cipher is 3DES which was favoured in windows XP and IE6 days. As I said before typical of a large company, the server itself has probably been untouched for several years. It also still has sslv3 enabled.

Sky Fibre Pro BQM - IPv4 BQM - IPv6

Edited by Chrysalis (Tue 21-Feb-17 06:06:27)

Standard User PaulKirby
(knowledge is power) Tue 21-Feb-17 19:50:23
Print Post

Re: DSL Checker not secure?


[re: Chrysalis] [link to this post]
 
In reply to a post by Chrysalis:
The certificate problem is the sha1 hash.

The ciphers used are independent of the certificate and is how their web server is configured.

There is more problems tho.

The ssl libraries have not been patched for over a year, so its vulnerable to things like POODLE, no forward secrecy support in mainstream browsers, no TLS 1.2 support, its preferred cipher is 3DES which was favoured in windows XP and IE6 days. As I said before typical of a large company, the server itself has probably been untouched for several years. It also still has sslv3 enabled.

Wasn't that was I already said in my posts, but yeah, I agree with them not touching their server for a long time.

OpenSSL has been patched many times over the last several years, theirs hasn't, the security status of SSL3 was posted many years ago and was advised to disable it and use TLS and newer versions of TLS like version TLSv1.2 and soon to be TLSv1.3, TLSv1.0 is on its way out due to some security issues.

The SHA1 (128 bit) has is insecure due to all hashes are known just like MD5 so that's why its throwing an issue with SHA1.

Well I have still yet to hear anything from my Email and any of my Tweets sent to various BT sections, even with physical evidence handed to them there has been no response as yet.

Also I think they are holding off until June because the Cert expires on Mon, 12 Jun 2017 23:59:59 UTC (expires in 3 months and 22 days) its still not right and they should still resolve the rest of the issue now.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Tue 21-Feb-17 19:53:13)

Standard User RobertoS
(elder) Tue 21-Feb-17 19:52:04
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
I hope you sent them from a mobile data link, not your FTTP connection ....


[chuckle] LOL

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User PaulKirby
(knowledge is power) Tue 21-Feb-17 19:56:20
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
I hope you sent them from a mobile data link, not your FTTP connection ....


[chuckle] LOL

LOL, you know what, my Sister said the exact same when I told her last night.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User RobertoS
(elder) Tue 21-Feb-17 20:46:31
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Yes, she and I agree on quite a lot.
.
.
.
.
.
.
.
.
.
wink

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User adslmax
(knowledge is power) Tue 21-Feb-17 21:40:39
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
MrSaffron should take this action against BT. But, I think he wouldn't bothered.
Pages in this thread: 1 | [2] | 3 | 4 | 5 | 6 | 7 | 8 | (show all)   Print Thread

Jump to