lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: staikos at 0wned.org (George Staikos)
Subject: sympatico.ca uses weak encryption on their billing server


Bell Canada Sympatico is one of the largest Internet providers in Canada.

After repeated requests over the past month to multiple addresses at Bell 
Canada/Sympatico's security and network contacts, I have given up hope.  
Their billing server, https://www.billing.sympatico.ca/, is still running 
Netscape 3.6 SP3 with a 40 bit export-level encryption key.  They insist that 
this is strong encryption, and the people answering my emails are too 
incompetent to understand my concerns that they use a stronger encryption 
key.  The responses I generally received were that I did not have my mouse in 
the right place to see the padlock.

This server is used to store all the personal and billing information for 
customers of Bell Sympatico.  It also allows customers to modify their 
account settings and preferences.  Given the age of the software and the 
known exploits for it, along with the weak encryption key in use, I recommend 
not using the online account management system, and complaining very loudly 
to Bell.


-- 

George Staikos


Powered by blists - more mailing lists