cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet Member Centre not secure!

goldenfibre
Seasoned Pro
Posts: 3,278
Thanks: 193
Fixes: 12
Registered: ‎01-06-2010

Plusnet Member Centre not secure!

Please sort out Plusnet as the member centre login is not secure see below:
9 REPLIES 9
Strat
Community Veteran
Posts: 31,319
Thanks: 1,638
Fixes: 565
Registered: ‎14-04-2007

Re: Plusnet Member Centre not secure!

I've had the attached available in Waterfox for a long time.
Windows 10 Firefox 107.0 (64-bit)
To argue with someone who has renounced the use of reason is like administering medicine to the dead - Thomas Paine
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Plusnet Member Centre not secure!

For the member centre login, from the Browser console it's:
Quote
18:15:50.662 Loading mixed (insecure) display content "http://www.plus.net/bundles/plusnetplusnetassets/images/liveperson/invites/mc-chat-online.gif" on a secure page[Learn More] mTag.js:1:0
18:15:50.665 Loading mixed (insecure) display content "http://www.plus.net/bundles/plusnetplusnetassets/images/liveperson/invites/mc-chat-online-9-9.gif" on a secure page[Learn More] mTag.js:1:0
18:15:50.667 Loading mixed (insecure) display content "http://www.plus.net/bundles/plusnetplusnetassets/images/liveperson/invites/mc-chat-online-busy.gif" on a secure page[Learn More] mTag.js:1:0
18:15:50.669 Loading mixed (insecure) display content "http://sales.liveperson.net/visitor/liveperson/chat-button/transparent.gif" on a secure page[Learn More]

i.e. images related to live chat
Anotherone
Champion
Posts: 19,107
Thanks: 455
Fixes: 21
Registered: ‎31-08-2007

Re: Plusnet Member Centre not secure!

Which doesn't make the rest insecure, right?
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Plusnet Member Centre not secure!

Well, it can't be that bad, because Firefox loaded the images anyway.
Unlike the google analytics javascript that Firefox blocks if you browse these forums over https.
The padlock status colour does look worse for the mixed content allowed case though.
jelv
Seasoned Hero
Posts: 26,786
Thanks: 990
Fixes: 10
Registered: ‎10-04-2007

Re: Plusnet Member Centre not secure!

Quote
What is mixed content?
HTTP is a system for transmitting information from a web server to your browser. HTTP is not secure, so when you visit a page served over HTTP, your connection is open for eavesdropping and man-in-the-middle attacks. Most websites are served over HTTP because they don't involve passing sensitive information back and forth and do not need to be secured.
When you visit a page fully transmitted over HTTPS (green padlock in the address bar), like your bank, your connection is authenticated and encrypted and hence safeguarded from eavesdroppers and man-in-the-middle attacks.
However, if the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.

What are the risks of mixed content?
An attacker can replace the HTTP content on the page you're visiting in order to steal your credentials, take over your account, acquire sensitive data about you, or attempt to install malware on your computer.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
OB
Dabbler
Posts: 10
Registered: ‎03-09-2014

Re: Plusnet Member Centre not secure!

Unsecured images are the least of the problems with their TLS setup.
https://www.ssllabs.com/ssltest/analyze.html?d=portal.plus.net&s=212.159.8.2&hideResults=on
They still support RC4 (broken), are only using TLS 1.0, use common 1024 primes (logjam) and don’t support the modern cipher suites. If plusnet are running the latest apache and openssl then it’s a easy fix.
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://weakdh.org/sysadmin.html
Anotherone
Champion
Posts: 19,107
Thanks: 455
Fixes: 21
Registered: ‎31-08-2007

Re: Plusnet Member Centre not secure!

Oh, so we are going to see a TalkTalk next week then maybe Sad
jelv
Seasoned Hero
Posts: 26,786
Thanks: 990
Fixes: 10
Registered: ‎10-04-2007

Re: Plusnet Member Centre not secure!

Given TalkTalk's recent experiences they will have been/will be considerably tightening things up. Plusnet's way has always been to take action after it all blows up in their face - scheduled improvements (unless it's something marketing driven) always take for ages (secure email?).
So yes, if security of ISP systems is a major concern I'd say moving to TalkTalk would be a very smart move.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
drunkenmonkey
Grafter
Posts: 1,661
Thanks: 2
Registered: ‎13-06-2007

Re: Plusnet Member Centre not secure!

Google Analytics is also set to protocol absolute instead of protocol relative meaning it always loads in http and on some browsers throws a security warning, it's also a very old version of GA code that was deprecated well over a year ago...