Sensitive Virgin Media web pages still stuck on weak crypto software

'F' for FAIL: Despite warnings, telco is yet to upgrade from RC4 suites

More than six months since The Register reported that Virgin Media had failed to move away from weak encryption software used on sensitive areas of its website – the ISP is yet to hit the upgrade button.

In March, we flagged up security concerns to the Liberty Global-owned firm by pointing out that the RC4 stream cipher used by VM was having its life support cut off by the likes of Mozilla.

Since then, the crypto algorithm's death warrant has been signed by browser makers who have said that they will no longer connect to the insecure cipher come early next year.

However, while the clock is ticking, Virgin Media has failed to confirm to El Reg when the upgrade to its servers will take place.

A spokesman at the telco was eventually nudged into telling us: "Last conversation was that they’re [VM techies] in the process of finishing off the changes for this one, but will ask if there is an estimated time scale."

But at time of publication no date for the upgrade had been confirmed to the Reg.

In the meantime, VM customers who use the site for billing, identity and payments may want to take note of SSL Labs analyses of those web pages, which come up short on security.

In July, infosec bods were able to demonstrate that they could decrypt cookies encrypted with RC4 within 75 hours. ®


Biting the hand that feeds IT © 1998–2017