back to article Sensitive Virgin Media web pages still stuck on weak crypto software

More than six months since The Register reported that Virgin Media had failed to move away from weak encryption software used on sensitive areas of its website – the ISP is yet to hit the upgrade button. In March, we flagged up security concerns to the Liberty Global-owned firm by pointing out that the RC4 stream cipher used …

  1. Alan J. Wylie

    Another one for the hall of shame

    https://www.insolvencydirect.bis.gov.uk/

    https://www.ssllabs.com/ssltest/analyze.html?d=www.insolvencydirect.bis.gov.uk

    "This server uses RC4 with modern browsers. Grade capped to C."

    "Cipher Suites (sorted by strength as the server has no preference; deprecated and SSL 2 suites at the end)

    TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128"

    1. Dan 55 Silver badge
      Trollface

      Re: Another one for the hall of shame

      C? That's a pass, isn't it.

      1. A Known Coward

        Re: Another one for the hall of shame

        In the world of security, anything less than an A is never a pass. Incidentally, SSL Labs hand out an A+ for the top grade, which is what everyone should be targeting.

        1. Anonymous Coward
          Childcatcher

          Re: Another one for the hall of shame

          "Incidentally, SSL Labs hand out an A+ for the top grade"

          I can make an Exchange server get an A+ with HAProxy on the front. Unfortunately MS can't make Outlook Anywhere understand TLS 1.2 (Outlook 2013 and earlier)

          The latest PCI DSS will deprecate SSL completely and TLS1.0 as of June 2016.

          1. TheVogon

            Re: Another one for the hall of shame

            "I can make an Exchange server get an A+ with HAProxy on the front."

            No need for HAProxy to do that. IIS is perfectly capable by itself.

            "Unfortunately MS can't make Outlook Anywhere understand TLS 1.2 (Outlook 2013 and earlier)"

            See http://blogs.technet.com/b/exchange/archive/2015/07/27/exchange-tls-amp-ssl-best-practices.aspx

            Microsoft are aware and a solution is apparently coming soon.

      2. Nick Lowe

        Re: Another one for the hall of shame

        Try https://dev.ssllabs.com/ssltest/analyze.html?d=identity.virginmedia.com

    2. Adam 1

      Re: Another one for the hall of shame

      https://forums.theregister.co.uk

      At least it doesn't support rc4 ciphers.

  2. Turtle

    Sensitive Media Virgins.

    "Sensitive Virgin Media web pages"

    I'm pretty certain you meant "webpages of sensitive media virgins" - and by "sensitive media virgins" you can only have meant "Nicole McCullough and Julia Cordray".

    ... which reminds me of another Rowan Atkinson line: "Still with us, I see, Herpes".

    https://www.youtube.com/watch?v=R7OxTxAvvLw

  3. Anonymous Coward
    Anonymous Coward

    Calling the ICO.... Come in the ICO

    They should hand out a huge fine to VM. It is not as if they have had no warning...

    There really is no excuse.

    I am really glad that I am not nor never have been a VM customer.

  4. Wolfclaw
    Facepalm

    It's VM, always takes them a year or two to get off their backsides and do something, look at the fiasco they have just suffered with email accounts getting spammed to hell, after moving from Google servers and yet refuse to accept a data breach !

    1. Anonymous Coward
      Anonymous Coward

      Ah yes the email fiasco. Admittedly forced into it by Google dropping gmail for ISP's but a total fubar of epic proportions. You have to wonder if they gave the project to the work experience boy, although he could probably do a better job.

      Broken forwarding, broken anti-spam, massive amounts of blocked (genuine) emails, massively reduced features, massively limited search, massive outages.

      I gave up with the totally hopeless OX within about a week, totally and utterly unfit for purpose. VM just trot out the line that email is a "bonus" not a paid feature so won't even reduce the bill for the utter lack of providing a service.

      I feel very sorry for those left using it.

  5. choleric

    I cannot believe

    that I'm the first to point out the poor support for _any_ ciphers ancient or modern on El Reg.

    Pot meet kettle.

    People in glass houses shouldn't throw stones.

    Plank in your own eye vs spec in someone else's.

    Etc. Etc. Ad nauseam.

    Come on El Reg. It's not that hard really. I'm sure some of your readers would do the work for free!

    1. Anonymous Coward
      Paris Hilton

      Re: I cannot believe

      "Come on El Reg. It's not that hard really. I'm sure some of your readers would do the work for free!"

      It has already been offered multiple times and the lack of SSL/TLS hereabouts is a long running joke given the nature of the occasional snarky sideswipe at other websites.

      I can spin up a HA Proxy in 20 minutes from scratch in a VM (includes OS install) with an A+ at Qualys. Config: 5 mins. Fiddling the cert + CAs + DH params into one file: 5-20 mins. Finding the typo in the config 5-100 mins.

      Anyway, el Reg use someone to do their security (can't remember the name but you'll sometimes have to enter a captcha when commenting) and I suspect the SSL tick box has a large number with a euro/dollar/peso symbol near it ...

      1. Anonymous Coward
        FAIL

        Re: I cannot believe

        Inexplicably, el Reg let someone else do their insecurity...

        FTFY

        I imagine it's for some depressingly moronic non-technical reason... like liability insurance being so prohibitive for a non-"security" outfit doing it (properly) itself, that it's only financially viable to pay some "professional" security charlatan outfit to feign it.

      2. Alister
        Thumb Up

        Re: I cannot believe

        Finding the typo in the config 5-100 mins.

        That one made me chuckle, have one of these >>

    2. 142

      Re: I cannot believe

      It is outstanding. Especially given that El Reg frequently boast about the fact they're consistently profitable. They absolutely have the money to do it.

      I think they're the only site I use that doesn't have any attempt at security.

      And I could maybe understand if this was all legacy architecture stuff...

      But they redeveloped the entire user/comment/forum section just a couple of years back!

    3. Solarisfire

      Re: I cannot believe

      El Reg isn't really transferring sensitive data though is it...

      1. choleric

        Re: I cannot believe

        Login information is sensitive. And I think most users would take umbrage if their accounts were hijacked due to a mitm breach that could easily have been avoided with some TLS.

        That wouldn't be a good look for an IT-savy vulture would it?

  6. Lee D Silver badge

    TPOnline.

    Handles the majority of UK Teacher's Pensions.

    Still scores THE WORST GRADE of encryption that I've ever seen in my life.

    Ironically, demands client certificates which you have to PAY FOR to log on - but the sign up page for that still scores an F on SSL Labs.

    Now that Chrome has gone up a level, I think you can ONLY use Internet Explorer too. Which is just hilarious given how much sensitive data goes through that website.

    1. Anonymous Coward
      Anonymous Coward

      Thanks Lee, didn't know that about TPOnline. But I do need to access the site, on occasion, I do have a teacher pension.

      :-(

      AC because if I'm forced to use the site I don't want any other identifiable information connecting me to the fact.

    2. Anonymous Coward
      Anonymous Coward

      "Ironically, demands client certificates which you have to PAY FOR to log on - but the sign up page for that still scores an F on SSL Labs."

      Reading that a wee thought bubbled up... if only someone could forge a functional fake cert and flog 'em on ebay for 99p ... I'd bet THAT would get the relevant torpid middle manager with no clue what his job was supposed to entail to pull his finger out. Almost certainly not yet quite broken enough for that to be feasible in reality, but the thought made me smile anyway...

  7. Terry 6 Silver badge

    Oh VM (Sighs)

    When they're good they're very very good.

    But when things go wrong they stink.

    It's as if they are running on railway tracks.

    As long as things are according to plan they give a wonderful service, extremely good value. Really helpful customer service.

    But if things go wrong they just don't seem to know how to manage it.

    Front line staff aren't kept informed of problems so that they will be going through the "turn it off and on again" routines while their managers know perfectly well that there is a problem down the line.

    And if they do screw up you will experience really poor service from them, instead of dealing with it. they go into full scale fob you off mode and refuse to accept any kind of responsibility.

    They're not in the BT Openreach league of customer avoidance, but they are getting close.

    Which I assume is why they failed to warn customers about the spam flood that got through this week. Or inform us, or apologise. Or, in fact acknowledge it publicly at all.

    At least that's my experience.

    1. DaveDaveDave

      Re: Oh VM (Sighs)

      In my experience with them, their customer service people will either be very helpful, or totally obstructive. If you get one of the obstructors, just ring off and dial again.

  8. WibbleMe

    A real work web developer says its hard to offer support for old browsers/mobile phones but you have to or you can say goodbye visitors.

    Those that need support with SSL v1.0

    Android 4.3 and below.

    IE8 and below.

    Safari 6.0.4 / OS X 10.8.4 and below.

    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:!MEDIUM

  9. Badvok
    Devil

    Who cares?

    If someone really wants to MITM my browser's connection to VM and spend 75 hours breaking the key to find out my name and address and how much my VM broadband costs me please go ahead.

    As to those who let VM store anything more than that, well ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Who cares?

      There is a serious misunderstanding of the RC4 weaknesses.

      Attacking a few dozen RC4-encrypted TLS sessions is still impossible. the 75 hours is the amount of time it took to have the exact same request repeated over-and-over-and-over again in order for the RC4 weakness to bekome statistically relevant and attackable. Only very few, and seriously broken or design-flawed software will send the same longterm secret several million times in a rapid fashion.

      1. TheVogon

        Re: Who cares?

        "Only very few, and seriously broken or design-flawed software will send the same longterm secret several million times in a rapid fashion."

        Or JavaScript that you send to the client to do exactly that...

  10. Solarisfire

    O2 Still stuck on weak crypto

    O2 still transfer card details using broken SSL: https://www.ssllabs.com/ssltest/analyze.html?d=identity.o2.co.uk

  11. Paul Moore

    So much hype, so little risk assessment.

    None of the standard, stable-build UAs currently block requests to an RC4-only site... so there's no issue there. If you run a bleeding-edge build of any browser, you're opening yourself up to far greater risks... something which vendors will actually tell you. To subsequently criticise a site for "unnecessary security risks" is bordering on comical.

    Attacks against RC4 are still incredibly difficult, requiring 2^26 sessions encrypting the same data with different keys... that's over 67 million requests! If you're logging in 67 million times, you probably have more serious issues.

    Yes, RC4 is broken. VM are aware of it and working towards a solution, but all this "think of the children" FUD is helping nobody.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like