Pale Moon and Virgin Media Topic is solved

[Pentode]

Hi, got a problem on a Win 7 lappy. I installed Pale Moon latest and getting errors logging in to my billing account. I read a earlier post in altering TLS min and max but that did not work, I then installed Pale Moon commander..... that did not work, I tried all way's upside down and sideways with no joy....may be I was doing something wrong I dunno but gave up and am about to remove Pale Moon.

Is there anything I could try? Thanks, Dave

[Moonchild]

Yes, there's something you can try: call them and be VERY cross with them.

Please see: https://www.ssllabs.com/ssltest/analyze.html?d=identity.virginmedia.com

Their https security is terrible. They ONLY support TLS 1.0 and they ONLY support RC4 (with MD5 as hash, at that!), and they are intolerant to higher TLS versions, and don't have secure renegotiation.

The only way you can connect to them is by going into Pale Moon Commander (Advanced options... -> Security), setting the minimum and maximum supported TLS version to 1.0 (Tab SSL) AND enabling RSA-RC4-MD5 (Tab Ciphers1). This will severely negatively impact your security on all other sites but it is the only way you could log in to their server, if you need to log in right now.

This is not a browser problem and uninstalling Pale Moon as a result of this is blaming the wrong party.

[Pentode]

Thank you very much that did the trick, I didn't need to touch the two TLS settings I only had to tick the RSA-RC4-MD5 (Tab Ciphers1) box.

Best regards and thanks again, Dave

[x-15a2]

I hope that you take the first half of Moonchild's answer as seriously as you did the second half. Enabling insecure connections should not be considered a fix at all.

[chreid]

Also a VM customer who has badgered them about their insecure server for nearly a year.
Please read this VM forum thread which I submitted in March and refers even further back to the previous November:
http://community.virginmedia.com/t5/Int ... 747#M17675

End result? Nothing.

[Moonchild]

Begs the question: why are you still their customer? Because I'd say it's a pretty good indicator of the safety of their internet services...

[chreid]

Well they are my ISP and supply DOCSIS cable BB [up to 152 mbs - soon 300] and cable TV with TIVO. All other BB provision here is via ADSL.

I don't use their email service [except SMTP] and only login for Sevice Status and checking account details, not transacting. It's still all very poor. Growl.

[Pentode]

I can appreciate your concerns about security. I am writing this on a laptop and it's not my main compute - to be honest I hate the darn things. My criteria I want to access my VM account.... nothing more and nothing less.

No need for me to tell you about security, as soon as broadband is connected forget it, anything can and does happen. I have a desk top here that has never seen an internet connection..... my pcb CAD's - no naughty stuff.

You can spend a lifetime worrying and still get clobbered Virgin Media they're a mixed bunch all round not just their security.

Thanks to Moonchild I can go away a 'happy bunny'. Dave.

[Moonchild]

Dave,

I hope you're never the victim of a broken cryptography attack then. I assume your personal VM account has plenty of personal information in it, including everything needed to perform identity theft, and probably also financial data. I think you'll be more concerned when your bank account is suddenly depleted -- but hey, your choice, and if you're happy with the practical solution offered, then that's fine with me too

[chreid]

Who's Dave?

Personally I've done everything possible. If they won't change their appalling security practices after all my entreaties what can I do?

BTW VM is now owned by Liberty Global - do they have a poor record in this area?

[ron_1]

Off-topic:

chreid wrote:
Who's Dave?

The original poster of this thread.

[chreid]

I see.
Wish people would keep to their monikers.

[Moonchild]

You can always contact Liberty Global and let them know about the severity of this issue. That should stir something, since that would be management. Just use simple terms regarding the technicalities of it

[PaulMoore]

I was pointed in this direction by "chreid" / Xian regarding VM's TLS deployment.

I agree the TLS deployment is pretty awful and it's in the process of being upgraded, but have you carried out any back-of-the-envelope calculations regarding the tangible risk here @Moonchild? I'd be interested to hear your thoughts as to how an attacker is likely to compromise an account, given what we know about RC4 attacks.

Thanks.

[chreid]

Well here we are coming up to end of 2015 and Virgin Media have today announced [re RC4]:

"At Virgin Media, we always want to make sure your personal information is as protected and secure as possible.
So in order to align with the changes being implemented on all major browsers, from mid-January 2016 (exact date TBC) we’ll be updating our servers to use a new security encryption standard, that’s even more secure and means our websites will work with all major internet browsers."

No indication of TLS/secure reneg.

Personally I've given up banging my head against a brick wall here.

[Moonchild]

They say Mid January because that is the point in time where all mainstream browsers have agreed they are going to definitively drop RC4.
So their "even more secure" (as if what they have is secure now) encryption is forced because their hand is forced. If mainstream browsers wouldn't have agreed on this, I'm sure VM would have stuck to RC4-MD5 indefinitely.

Now, I do hope they have the presence of mind to go for something proper, and not, say, RSA-3DES 112 bits (the next lowest encryption standard in browsers).

[chreid]

I'll keep you posted.
BTW do you have an answer for PaulMoore's "back-of-an-envelope" risk assessment comment above?

[chreid]

Finally seems to be fixed.
TLS1.2 and Secure Renegotiation enabled and RC4 gone [mostly!].
https://www.ssllabs.com/ssltest/analyze ... nmedia.com

Hoo-bloody-ray.

[Moonchild]

Wow, it's like they make a conscious effort to have lower-end encryption.

So, now they finally got off their RC4-only position, but prioritize RSA over ECDHE key exchange (no forward secrecy). At least they prefer AES over 3DES, so that's something, right?

[chreid]

Now upgraded to A:

https://www.ssllabs.com/ssltest/analyze ... nmedia.com