[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] sympatico.ca uses weak encryption on their billing server
From:       George Staikos <staikos () 0wned ! org>
Date:       2002-10-29 23:23:07
[Download RAW message or body]



Bell Canada Sympatico is one of the largest Internet providers in Canada.

After repeated requests over the past month to multiple addresses at Bell 
Canada/Sympatico's security and network contacts, I have given up hope.  
Their billing server, https://www.billing.sympatico.ca/, is still running 
Netscape 3.6 SP3 with a 40 bit export-level encryption key.  They insist that 
this is strong encryption, and the people answering my emails are too 
incompetent to understand my concerns that they use a stronger encryption 
key.  The responses I generally received were that I did not have my mouse in 
the right place to see the padlock.

This server is used to store all the personal and billing information for 
customers of Bell Sympatico.  It also allows customers to modify their 
account settings and preferences.  Given the age of the software and the 
known exploits for it, along with the weak encryption key in use, I recommend 
not using the online account management system, and complaining very loudly 
to Bell.


-- 

George Staikos

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]