Security

Virgin Media takes its time on website crypto upgrade

Firefox and Chrome wave red flags at ISP

Virgin Media has failed to upgrade weak encryption software that it uses for sensitive parts of the telco's website, despite complaints from customers who claim to have repeatedly flagged up security concerns to the firm.

In parallel with the gripes, Mozilla – which recently told netizens that it planned to end support for the RC4 stream cipher used by VM – has an open tracking bug about the cable company's site.

Elsewhere, Google's browser Chrome has also been spitting out security warnings about various Virgin Media pages (such as https://identity.virginmedia.com) because the connection has to first be retried to use an older version of the TLS (transport layer security) protocol.

Virgin Media still using obsolete crytography. Image credit: Nick Lowe

Image credit: Nick Lowe

But Virgin Media has yet to upgrade its service, even though it first heard about the potential security headache late last year. A spokesman at the company told The Register:

Although there are no practical exploits of the algorithm, we have a programme of work which is well underway that will address the issue.

When quizzed about the progress of that work, VM fell silent.

Software engineer and Reg reader Nick Lowe got in touch with your correspondent earlier this month to highlight his concerns about the RC4 and TLS issue.

As he noted to us, infosec bods recently called for the RC4 cipher to be outlawed by companies, after new research appeared to show that attacks against the scheme were becoming easier.

Lowe told us this morning that he was disappointed with VM's response to his moans about the obsolete and insecure cryptography that the firm continues to use on its site.

"I ... think that's a disingenuous and rather meaningless thing for them to say," he said.

"Yes, the RC4 issue isn't particularly practically exploitable based on the information that is known publicly, but – as pointed out to VM – the service is also TLS 1.2 intolerant, which means that the software they use can't have been patched in years and is therefore, by definition, going to be security vulnerable to other issues."

"No SSL/TLS stack has remained secure over that passage of time since this has been resolved so it's a vulnerability canary," he added.

"Chrome, for example, notes in the details about the connection that it has had to retry using an insecure protocol downgrade to establish a connection. This shows, definitively, that the infrastructure it has to provide this encryption has not been maintained."

An SSL analysis of various, sensitive VM web pages shows how low the ISP scores on security. The firm's identity, billing and payments pages all come up short when tested.

And Lowe isn't the only one finding himself shouting at the bins over this issue.

®

Sponsored: IBM FlashSystem V9000 product guide