/ A Paul.Reviews Project

Overview

Updated: 01/12/2015


Pass
18
Warnings
9
Failures
8
Unknown
1
Website - SSL / TLS (In-Transit Encryption)
Qualys (Now) A C F F B A B B A A A
Qualys (Pre-Audit) B C F F C F C F F F F C
Email Security
Webmail Qualys B C N/A F F F
Webmail / HTTPS Yes Yes No Yes Yes Yes
Webmail / HTTP No No Yes No Yes No
POP3 SSL/TLS Yes No No Yes No Yes
IMAP SSL/TLS Yes No No Yes No Yes
SMTP SSL/TLS Yes No No Yes Yes Yes
StartTLS Yes Yes No Yes No Yes
Password Entry & Storage
Min Length 8 8 6 8 8 8
Max Length 50 16 16 10 32 32
Supported Chars a-z A-Z 0-9! # $ % & ( ) * + , - . / : ; > = < ? @ [ ] ^ _ ` { | }~ a-z A-Z 0-9! # $ % & ( ) * + , - . / : ; > = < ? @ [ ] ^ _ ` { | }~ a-z A-Z 0-9 _ a-z A-Z 0-9No special chars a-z A-Z 0-9! # $ % & ( ) * + , - . / : ; > = < ? @ [ ] ^ _ ` { | }~ a-z A-Z 0-9No restriction on special chars
Storage Method Unknown Encrypted Plain Plain Unknown Unknown
Authentication & Session Management
Login / HTTPS Yes Yes Yes Yes Yes Yes
Login / HTTP No No No No No No
Mixed-Mode Yes No No No Yes Yes
Cookies
Session HTTP Yes Yes No Yes No No
Session Secure No Yes No Yes No Yes
Response Headers
XFO deny sameorigin no no no no
HSTS Post-Auth no no no no no
HPKP no no no no no no
CSP no no no no no no
XSS no Yes no no no Yes
XCTO no Yes no no no Yes
Critical Issues
0 0 0 0 1 0
Serious Issues
0 2 2 0 4 1

TalkTalk

Database Credential Leak

Type
Database Credential Leak
Status
Critical
Reported
Yes
Fixed
Domain offline.
More Info
TalkTalk Labs database credentials leaked via open web.config.

Plusnet

Cross Site Request Forgery / My Account

Type
CSRF
Status
Resolved
Reported
28/10/2015 - 2:16PM
Fixed
28/10/2015 - 10PM
More Info
Allowing a 3rd-party to remotely hijack any account, providing access to phone records, billing history, email accounts.
RFC 2142 / Obtained Genuine TLS Certificate

Type
RFC 2142
Status
Resolved
Reported
23/11/2015 - 3:24PM
Fixed
24/11/2015 - 9AM
More Info
Non-compliance with RFC2142, allowing an attacker to obtain a genuine SSL/TLS certificate.

EE

Cross Site Request Forgery / My Account

Type
CSRF
Status
Vulnerable
Reported
03/11/2015 - 4:57PM
Fixed
 
More Info
Allowing a 3rd-party to remotely hijack any account, providing access to phone records, billing history, email accounts.
RFC 2142 / Obtained Genuine TLS Certificate

Type
RFC 2142
Status
Vulnerable
Reported
23/11/2015 - 10:42AM
Fixed
 
More Info
Non-compliance with RFC2142, allowing an attacker to obtain a genuine SSL/TLS certificate.

TalkTalk

TalkTalk Firmware update pages serve malware

Type
Malware
Status
Vulnerable
More Info
Apparently known to TalkTalk for many years.
Webmail credentials sent over HTTP post-breach

Type
Insecure Authentication
Status
Vulnerable
More Info
Proof.
Account credentials sent over HTTP post-breach

Type
Insecure Authentication
Status
Vulnerable
More Info
Proof.
Lied about periodicity of Information Commissioner's Office auditing

Type
Deceitful Behaviour
Status
By the CEO's office, can this be fixed?
More Info
Proof.

Sky

Cross Site Request Forgery / My Account

Type
CSRF
Status
Vulnerable
Reported
31/10/2015 - 2:51PM
Fixed
 
More Info
Allowing a 3rd-party to remotely hijack any account, providing access to phone records, billing history, email accounts.

BT / Plusnet

Within hours of my initial email, both BT & Plusnet called to acknowledge receipt and outline their plan of action. Both companies have remained in touch, supplying very detailed updates about how they intend to move forward with the recommendations.

I remain thoroughly impressed by their professional and remarkably candid approach and wouldn't hesitate using either service in future.


EE

Just a few days after my initial email, EE arranged a conference call to discuss the issues.

Less than a week later, EE forwarded a detailed spreadsheet which outlined how they intended to mitigate many of the issues raised. EE have since commissioned a source-code review.

EE have not taken any mitigative action with reference to the CSRF exploit thus far, pending the results of a source audit. There has been little/no immediate improvement with reference to their poor Qualys scores, despite an estimated fix being just weeks away.

Unfortunately, EE have one of the weakest overall deployments, saved only by their willingness to discuss these issues so candidly.


Virgin Media

Having been a Virgin Media customer for well over a decade, I'm acutely aware that trying to engage in any security-related discussion is virtually impossible, the sole exception being a SuperHub 2 vulnerability last year.

Unfortunately, Virgin Media did not reply to numerous requests for comment.

However, the results of this audit haven't given any immediate cause for concern.


TalkTalk

Unfortunately, TalkTalk operate in a bubble of blissful ignorance.

Their utterly shambolic approach to security, combined with a proclivity to make wild & demonstrably fallacious claims, places TalkTalk firmly in last place during this audit.


Sky

Within hours of my initial email, Sky called to acknowledge receipt and arrange a conference call that night. In the weeks which followed, Sky made significant improvements to their TLS deployment, scoring straight "A" across the board.