cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet Member Centre not secure!

goldenfibre
Aspiring Pro
Posts: 2,582
Thanks: 43
Fixes: 2
Registered: 01-06-2010

Plusnet Member Centre not secure!

Please sort out Plusnet as the member centre login is not secure see below:
9 REPLIES
Moderator
Moderator
Posts: 25,991
Thanks: 1,239
Fixes: 50
Registered: 14-04-2007

Re: Plusnet Member Centre not secure!

I've had the attached available in Waterfox for a long time.

Customer and Forum Moderator.

Community Veteran
Posts: 4,970
Thanks: 362
Fixes: 16
Registered: 10-06-2010

Re: Plusnet Member Centre not secure!

For the member centre login, from the Browser console it's:
Quote
18:15:50.662 Loading mixed (insecure) display content "http://www.plus.net/bundles/plusnetplusnetassets/images/liveperson/invites/mc-chat-online.gif" on a secure page[Learn More] mTag.js:1:0
18:15:50.665 Loading mixed (insecure) display content "http://www.plus.net/bundles/plusnetplusnetassets/images/liveperson/invites/mc-chat-online-9-9.gif" on a secure page[Learn More] mTag.js:1:0
18:15:50.667 Loading mixed (insecure) display content "http://www.plus.net/bundles/plusnetplusnetassets/images/liveperson/invites/mc-chat-online-busy.gif" on a secure page[Learn More] mTag.js:1:0
18:15:50.669 Loading mixed (insecure) display content "http://sales.liveperson.net/visitor/liveperson/chat-button/transparent.gif" on a secure page[Learn More]

i.e. images related to live chat
Community Veteran
Posts: 19,099
Thanks: 434
Fixes: 21
Registered: 31-08-2007

Re: Plusnet Member Centre not secure!

Which doesn't make the rest insecure, right?
Community Veteran
Posts: 4,970
Thanks: 362
Fixes: 16
Registered: 10-06-2010

Re: Plusnet Member Centre not secure!

Well, it can't be that bad, because Firefox loaded the images anyway.
Unlike the google analytics javascript that Firefox blocks if you browse these forums over https.
The padlock status colour does look worse for the mixed content allowed case though.
Community Veteran
Posts: 26,533
Thanks: 774
Fixes: 9
Registered: 10-04-2007

Re: Plusnet Member Centre not secure!

Quote
What is mixed content?
HTTP is a system for transmitting information from a web server to your browser. HTTP is not secure, so when you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured.
When you visit a page fully transmitted over HTTPS (green padlock in the address bar), like your bank, your connection is authenticated and encrypted and hence safeguarded from eavesdroppers and man-in-the-middle attacks.
However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.

What are the risks of mixed content?
An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or attempt to install malware on your computer.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
OB
Dabbler
Posts: 10
Registered: 03-09-2014

Re: Plusnet Member Centre not secure!

Unsecured images are the least of the problems with their TLS setup.
https://www.ssllabs.com/ssltest/analyze.html?d=portal.plus.net&s=212.159.8.2&hideResults=on
They still support RC4 (broken), are only using TLS 1.0, use common 1024 primes (logjam) and don’t support the modern cipher suites. If plusnet are running the latest apache and openssl then it’s a easy fix.
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://weakdh.org/sysadmin.html
Community Veteran
Posts: 19,099
Thanks: 434
Fixes: 21
Registered: 31-08-2007

Re: Plusnet Member Centre not secure!

Oh, so we are going to see a TalkTalk next week then maybe Sad
Community Veteran
Posts: 26,533
Thanks: 774
Fixes: 9
Registered: 10-04-2007

Re: Plusnet Member Centre not secure!

Given TalkTalk's recent experiences they will have been/will be considerably tightening things up. Plusnet's way has always been to take action after it all blows up in their face - scheduled improvements (unless it's something marketing driven) always take for ages (secure email?).
So yes, if security of ISP systems is a major concern I'd say moving to TalkTalk would be a very smart move.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Community Veteran
Posts: 1,656
Registered: 13-06-2007

Re: Plusnet Member Centre not secure!

Google Analytics is also set to protocol absolute instead of protocol relative meaning it always loads in http and on some browsers throws a security warning, it's also a very old version of GA code that was deprecated well over a year ago...