General Discussion
  >> Fibre Broadband


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | [3] | 4 | 5 | 6 | 7 | 8 | (show all)   Print Thread
Standard User PaulKirby
(knowledge is power) Tue 21-Feb-17 22:12:31
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Yes, she and I agree on quite a lot.
.
.
.
.
.
.
.
.
.
wink

LOL

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Tue 21-Feb-17 22:14:22
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
In reply to a post by adslmax:
MrSaffron should take this action against BT. But, I think he wouldn't bothered.

Well I am giving them until the weekend and if nothing has happened by then I will be notifying the Chairman's Office.

Hopefully they will get it sorted.

It just makes me laugh really, BT post loads of tweets about security and scam emails an phone calls and one of their own servers have a security hole.

Now what is scary is suppose a hacker managed to gain access to said server due to all the security holes.

Now there is nothing stopping that said hacker from gaining access to the database which may or may not have all our information like address, phone number account information including our email address used on our BT account.

Now suppose they have said above information, there is nothing stopping them from sending us scam emails, these emails would seem legit due to they originating from one of BT's Mail Servers.

So this really needs to be resolved and the security whole closed before any of this could happen.

Maybe I am paranoid, but if BT are that sloppy in keeping that server up to date and secure, who knows what lack of security internally.

This can and does end up in mail servers being black listed.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Tue 21-Feb-17 22:52:16)

Standard User Chrysalis
(legend) Wed 22-Feb-17 06:50:44
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
yes I meant the libraries on their server.

When the cert expires the new one will be sha256, as sha1 certs are no longer allowed to be issued.

Sky Fibre Pro BQM - IPv4 BQM - IPv6

Edited by Chrysalis (Wed 22-Feb-17 06:52:26)


Register (or login) on our website and you will not see this ad.

Standard User PaulKirby
(knowledge is power) Wed 22-Feb-17 07:14:03
Print Post

Re: DSL Checker not secure?


[re: Chrysalis] [link to this post]
 
In reply to a post by Chrysalis:
yes I meant the libraries on their server.

Ah, ok.

In reply to a post by Chrysalis:
When the cert expires the new one will be sha256, as sha1 certs are no longer allowed to be issued.

Well it depends on where you get your certs from, I can as far as I know still request verified certificate with a signature hash algorithm of sha1, not that I would do that.

I know I made a mistake about a year ago when I typed in sha1 instead of sha256 and they issued them fine, I then started playing with other flags like key sizes to see how high I could get it before they moaned, got bored at 32768 Bit keys, plus I didn't want to annoy the issuer tongue

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Wed 22-Feb-17 09:18:32
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
Well I received the following tweet reply from BTCare:
Hi Paul, thanks for that. I'll pass this info on up the chain ^Ronan

I bet it doesn't go any further.

An update...
After a chat via DM (Private Chat)
Thanks for that Paul,

I've passed that onto BT security to investigate.

We appreciate the heads up

Ronan

One thing I did notice just now is that they have disabled SSL3, so that's a small part resolved, so maybe they are working on it.

So now they just need to do all the security updates on the server, update the security suit to use TLS 1.2 as default and fall back to TLS 1.1.

Then just renew the certificate with a signature hash of SHA256 or better and it should be done smile

Oh and top of that I now have another follower tongue

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest

Edited by PaulKirby (Wed 22-Feb-17 09:42:03)

Standard User adslmax
(knowledge is power) Wed 22-Feb-17 18:33:29
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
still the same.

Your connection is not secure

The owner of www.dslchecker.bt.com has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

Learn more�

Report errors like this to help Mozilla identify and block malicious sites
Standard User PaulKirby
(knowledge is power) Wed 22-Feb-17 23:33:19
Print Post

Re: DSL Checker not secure?


[re: adslmax] [link to this post]
 
In reply to a post by adslmax:
still the same.

Your connection is not secure

The owner of www.dslchecker.bt.com has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

Learn more�

Report errors like this to help Mozilla identify and block malicious sites

Yep, well this might take time due to it being pass onto the security team.

The sad and worrying thing is if the security team passes it onto the numbnuts that is responsible for looking after that said server who thinks the server is secure.

That's fine, they still have a few days yet before I send that email.

Ok, I have just set another private tweet to BT asking if there was any response from their security team and that if it doesn't get resolved by the 27th (this Monday) I will be notifying the chairman's office and let his office deal with the issue.

I normally get a phone call when dealing with his office and it would be much easier to explain on the phone.

But I have a feeling that it still won't be resolved.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User PaulKirby
(knowledge is power) Wed 22-Feb-17 23:35:58
Print Post

Re: DSL Checker not secure?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
I hope you sent them from a mobile data link, not your FTTP connection ....


[chuckle] LOL


I just realised even if I did use my mobile data, BT would still know its me because I am with T-Mobile, which is owned by EE and guess who owns EE, yep you guessed it BT.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Standard User Oliver341
(eat-sleep-adslguide) Thu 23-Feb-17 11:50:24
Print Post

Re: DSL Checker not secure?


[re: PaulKirby] [link to this post]
 
Well aside from BT changing the TLS certificate to one that's more secure, it's also very poor that the http version of the checker does not automatically 301 redirect to the https version.

Oliver.
Standard User PaulKirby
(knowledge is power) Thu 23-Feb-17 12:20:39
Print Post

Re: DSL Checker not secure?


[re: Oliver341] [link to this post]
 
In reply to a post by Oliver341:
Well aside from BT changing the TLS certificate to one that's more secure, it's also very poor that the http version of the checker does not automatically 301 redirect to the https version.

The redirect would be set in the equivalent to Virtual Host if they were using Apache, however its Oracle which is based off Apache.
Or they could use .htaccess to auto redirect I have used both on my sites before.

Paul

BTBroadband - Infinity 4 - 310Mbps (down), 31Mbps (up)
TBB Speedtest
Pages in this thread: 1 | 2 | [3] | 4 | 5 | 6 | 7 | 8 | (show all)   Print Thread

Jump to