topic Plusnet Member Centre not secure! in Plusnet Feedback

Plusnet Member Centre not secure!

goldenfibre — Tue, 10 Nov 2015 17:45:15 GMT

Please sort out Plusnet as the member centre login is not secure see below:

Re: Plusnet Member Centre not secure!

Strat — Tue, 10 Nov 2015 18:10:58 GMT

I've had the attached available in Waterfox for a long time.

Re: Plusnet Member Centre not secure!

ejs — Tue, 10 Nov 2015 18:24:25 GMT

For the member centre login, from the Browser console it's:

Quote
18:15:50.662 Loading mixed (insecure) display content "http://www.plus.net/bundles/plusnetplusnetassets/images/liveperson/invites/mc-chat-online.gif" on a secure page[Learn More] mTag.js:1:0
18:15:50.665 Loading mixed (insecure) display content "http://www.plus.net/bundles/plusnetplusnetassets/images/liveperson/invites/mc-chat-online-9-9.gif" on a secure page[Learn More] mTag.js:1:0
18:15:50.667 Loading mixed (insecure) display content "http://www.plus.net/bundles/plusnetplusnetassets/images/liveperson/invites/mc-chat-online-busy.gif" on a secure page[Learn More] mTag.js:1:0
18:15:50.669 Loading mixed (insecure) display content "http://sales.liveperson.net/visitor/liveperson/chat-button/transparent.gif" on a secure page[Learn More]

i.e. images related to live chat

Re: Plusnet Member Centre not secure!

Anotherone — Tue, 10 Nov 2015 19:34:40 GMT

Which doesn't make the rest insecure, right?

Re: Plusnet Member Centre not secure!

ejs — Tue, 10 Nov 2015 20:01:38 GMT

Well, it can't be that bad, because Firefox loaded the images anyway.
Unlike the google analytics javascript that Firefox blocks if you browse these forums over https.
The padlock status colour does look worse for the mixed content allowed case though.

Re: Plusnet Member Centre not secure!

jelv — Tue, 10 Nov 2015 20:33:54 GMT

Quote
What is mixed content?
HTTP is a system for transmitting information from a web server to your browser. HTTP is not secure, so when you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured.
When you visit a page fully transmitted over HTTPS (green padlock in the address bar), like your bank, your connection is authenticated and encrypted and hence safeguarded from eavesdroppers and man-in-the-middle attacks.
However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.

What are the risks of mixed content?
An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or attempt to install malware on your computer.

Re: Plusnet Member Centre not secure!

OB — Tue, 10 Nov 2015 21:15:32 GMT

Unsecured images are the least of the problems with their TLS setup.
https://www.ssllabs.com/ssltest/analyze.html?d=portal.plus.net&s=212.159.8.2&hideResults=on
They still support RC4 (broken), are only using TLS 1.0, use common 1024 primes (logjam) and don’t support the modern cipher suites. If plusnet are running the latest apache and openssl then it’s a easy fix.
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://weakdh.org/sysadmin.html

Re: Plusnet Member Centre not secure!

Anotherone — Thu, 12 Nov 2015 04:00:35 GMT

Oh, so we are going to see a TalkTalk next week then maybe

Re: Plusnet Member Centre not secure!

jelv — Thu, 12 Nov 2015 08:58:47 GMT

Given TalkTalk's recent experiences they will have been/will be considerably tightening things up. Plusnet's way has always been to take action after it all blows up in their face - scheduled improvements (unless it's something marketing driven) always take for ages (secure email?).
So yes, if security of ISP systems is a major concern I'd say moving to TalkTalk would be a very smart move.

Re: Plusnet Member Centre not secure!

drunkenmonkey — Fri, 13 Nov 2015 10:50:15 GMT

Google Analytics is also set to protocol absolute instead of protocol relative meaning it always loads in http and on some browsers throws a security warning, it's also a very old version of GA code that was deprecated well over a year ago...