dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
746
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

[Internet] My Account is Down

Click for full size
Good that it is down as TWC is VULNERABLE to the POODLE exploit! I hope TWC took the server down to fix it. TWC shockingly only gets a "C" rating from Qualys, whereas, Comcast gets an A-.

»Re: Disappointing industry response to SSL poodles

hobgoblin
Sortof Agoblin
Premium Member
join:2001-11-25
Orchard Park, NY

4 recommendations

hobgoblin

Premium Member

I love Poodles, They are so cute!

Hob

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

maartena to Mele20

Premium Member

to Mele20
said by Mele20:

Good that it is down as TWC is VULNERABLE to the POODLE exploit! I hope TWC took the server down to fix it. TWC shockingly only gets a "C" rating from Qualys, whereas, Comcast gets an A-.

»Re: Disappointing industry response to SSL poodles

What surprises me more then anything, is your willingness to continue to post on a site that scored an F!! (dslreports that is...)
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

I don't use SSL here. Not even for login. While I am a bit surprised dslr dropped from A to F rating, I don't really care. I mean...geez, it's a GoDaddy cert. I know the owners of GoDaddy. They specialize in cheap certs for sleazebags, thieves, etc. I block GoDaddy certs in all browsers. Additionally, this site has NO information about me! TWC DOES and only because I registered there VERY RELUCTANTLY because I wanted to use the TVEverywhere apps..But I can't because only Fx 15 works according to the TWC app team (or IE any version - rather obvious that Microsoft got paid off by TWC), or an old version of Chrome. I would NEVER pay my Oceanic bill at TWC.com or Oceanic.com...that would be insane since my privacy, my right to prevent identity theft as best I can, etc. matters to me. So, the ONLY reason to register at that god-awful twc.com website that got rid of the good stuff from help.rr.com was so I COULD do the TVEverywhere apps. I never registered at rr.com and never went there. I only used help.rr.com which was superior to the junk and the constant clicking back and forth enduring insanely stupid questions to try and get help at twc.com.

In regards to SECURITY AND SAFETY Comcast wins hands down when compared to TWC. Stupid comments, designed to deflect the REAL ISSUE, like the comment by hobgoblin See Profile just emphasize how pathetic TWC is when it comes to the security and privacy of the user. The site has been back up for awhile and TWC flipped all users the middle finger as, according to Qualys, they did nothing to fix the security problems while down.

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

maartena to Mele20

Premium Member

to Mele20
You are really being paranoid, Mele20. The bug only affects SSL3, which is rather ancient. Most websites have upgraded to TLS a long time ago, and use either TLS 1.1 or TLS 1.2 for their secure transports.

Webservers have often left SSL3 enabled to ensure backwards compatibility with older browsers. Firefox has already announced it will simply disable SSL3 in its next browser version (34), and the only people still truly affected by this are those running Windows XP in combination with either Internet Explorer 6, or an old old version of Firefox.

Website owners simply need to disable SSL3 and move on. It's not worth it to fix it for the very small number of people that can't talk TLS 1.1 or TLS 1.2 due to the use of obsolete browsers.

The MyAccount being temporarily down could have a lot of different reasons, and doesn't necessarily mean it is related to the Poodle attack. It works for me at this moment, no problem.

Read this: »community.qualys.com/blo ··· e-attack

If you are worried about SSL3 being used, make sure you upgrade to the latest version of your browser once the next major release is released, it seems both Chrome and Firefox are simply going to disable SSL3 in their code.

Most people simply do not use SSL3 anymore, they would only use SSL3 if the (ancient) browser they have does not support SSL3. Website owners have often left it enabled as a convenience for older systems and the solution is to simply disable SSL altogether and move on. If your browser can talk TLS 1.1 or TLS 1.2 there is nothing to worry about.

In other words: You are being paranoid. Again.
omghi2u
join:2001-02-05
.

omghi2u to maartena

Member

to maartena
said by maartena:

said by Mele20:

Good that it is down as TWC is VULNERABLE to the POODLE exploit! I hope TWC took the server down to fix it. TWC shockingly only gets a "C" rating from Qualys, whereas, Comcast gets an A-.

»Re: Disappointing industry response to SSL poodles

What surprises me more then anything, is your willingness to continue to post on a site that scored an F!! (dslreports that is...)

All his base belong to us. H4x0R.

DocDrew
How can I help?
Premium Member
join:2009-01-28
SoCal
Ubee E31U2V1
Technicolor TC4400
Linksys EA6900

4 edits

1 recommendation

DocDrew to Mele20

Premium Member

to Mele20
said by Mele20:

Additionally, this site has NO information about me!

There is enough information about you on this site that I know your full name, home address, and I'd recognize you if I saw your 5'3", 104 lb., chipped tooth self wearing your heavy gold Hawaiian heirloom bracelet engraved with your name in Hawaiian driving in your 2012 Raspberry Metallic Blue Honda Fit to go shopping at KTA, Safeway, or Walmart. No need for SSL hacking when you just post it all for everyone to see.
said by Mele20:

...I wanted to use the TVEverywhere apps..But I can't because only Fx 15 works according to the TWC app team (or IE any version - rather obvious that Microsoft got paid off by TWC), or an old version of Chrome.

Please stop with this crap. TWC TV Everywhere works on Fx 10+, Chome 10+, IE 9+, and Safari 4+. That's straight from the TWC TV Everywhere page.
said by Mele20:

In regards to SECURITY AND SAFETY Comcast wins hands down when compared to TWC. Stupid comments, designed to deflect the REAL ISSUE, like the comment by hobgoblin See Profile just emphasize how pathetic TWC is when it comes to the security and privacy of the user. The site has been back up for awhile and TWC flipped all users the middle finger as, according to Qualys, they did nothing to fix the security problems while down.

Really to check security you have to check multiple sites and it isn't always obvious which one is actually handling login information. Just check the front page of the main sites may give you a false sense of security...

As you said, www.timewarnercable.com currently has problems:
»www.ssllabs.com/ssltest/ ··· wctv.com
Myservices.timewarnercable.com is even worse according to Qualys SSL Labs (whose business is in SSL security services and may benefit from these tests):
»www.ssllabs.com/ssltest/ ··· able.com


Comcast isn't perfect either:


I hope you've checked all your other online account sites... Bank of Hawaii has some problems too, they only rate a C.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to maartena

Premium Member

to maartena
Why do you assume I am a naive idiot? I am fully aware of everything you thought I knew nothing about.

Mozilla may or may not patch Fx 31.2 ESR because many enterprises use SSL-3 in their intranets so Mozilla has called for responses via the listserv to determine whether or not they should patch Fx 31.2 ESR (which I have not even upgraded to because there is a nasty bug that just resurfaced in the installer if you upgrade internally from Fx 24.8.1 ESR. Plus, Australlis is an abomination any sensible user would avoid). Pale Moon is my default browser.

Nonetheless, I have fixed all browsers on both computers as best I can. Plus, I fixed Thunderbird and Java. But with bad, IRRESPONSIBLE server owners there are still ways for an attacker to get around the current fixes. A RESPONSIBLE server owner will fix the problem. Instead of pooh-poohing my concern you need to educate yourself (go read our Security forum threads on this issue) and you need to be asking why your ISP is too lazy to get better than a C rating at Qualys. There are several problems security wise with the TWC server. At least Comcast has some responsible people as their server gets a A- at Qualys. Your naive reply about just not using SSL-3 reveals your great ignorance on this subject. Even though I have LONG HAD --FOR YEARS---SSLv-3 disabled in my browsers that matters not at all if the servers remain irresponsible and don't fix it there. Again, please educate yourself before accusing me of being a responsible person which you feel no one should be. What is your REAL agenda? You always support TWC being irresponsible when it comes to security and you try to smear those who are being responsible.

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

maartena

Premium Member

said by Mele20:

What is your REAL agenda?

Obviously, it is to make you even more paranoid then you already are..... You act the world of security is going to end every time a flaw is found. Yes this is a serious flaw, but it really isn't affecting anyone that is using a modern OS and a modern browser.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Why are you promoting a blatant lie?

POODLE AFFECTS ANYONE USING A MODERN OS AND MODERN BROWSER IF THE SERVER THEY CONNECT TO IS VULNERABLE TO POODLE. Why are you unable to understand this? Yes, Mozilla will fix this for Fx34 but NOT for earlier versions and may not fix it for Enterprise version that I will be upgrading to (once the installer crash bug is fixed). It doesn't matter if the user has fixed it in their browsers. That is not sufficient. This is a much worse security issue than the BEAST because an attacker can force any browser to downgrade to SSLv3 if the server supports SSLv3. (TLS_FALLBACK_SCSV indicator is NOT supported by TWC server and will not be supported in Fx until next year. Plus, BOTH browser AND server must support TLS_FALLBACK_SCSV indicator for it to work. So, TWC users of Chrome are NOT protected either since TWC server has NOT bothered to support this protection).

What we should be discussing here, and that you are trying to deflect discussion away from, is that TWC needs to disable SSL3 immediately in their server. Or at the least, they should have the server support TLS_FALLBACK_SCSV indicator which will currently protect only Chrome users (Fx next year but not ESR current version 31). If they are concerned about IE 6 users then they need to grow up and act like a real ISP and HELP the IE6 users to show them where to enable TLS 1.0 for IE6. There is NO REASON for any server to continue to support SSLv3. All ISPs need to act responsibly to help their IE6 users in regards to this issue. The real reasons why SSLv3 has not been disabled long ago in servers is because (1) laziness and irresponsibility and (2) no one wants to have IE6 people not able to connect to their server. IE 6 users simply need to disable SSLv3 in the browser and enable TLS 1.0 but most don't have the slightest idea how.

So, do you feel that the ISP has no responsibility toward its users to help the ignorant ones which then helps ALL users because we all suffer until next year if servers continue to enable SSLv3? You don't mind if you get owned? It is also because of irresponsible server owners that the inferior, old, buggy TLS v1 MUST be enabled in all browsers. In Pale Moon 25 if you try to disable TLSv1 and have TLSv1.1 as minimum Pale Moon reverts it back to TLS 1.0. Some browsers let you disable TLS 1.0 successfully but when I have done that, a lot of sites won't load. (So much for your belief that "modern" browsers don't have these problems or modern OSes. I have Windows 8 Pro and Win 10 Preview and I use the latest versions of Pale Moon, IE, Sea Monkey and would have already upgraded Fx 24.8.1 ESR but there has been a regression in the Fx installer which just reared its ugly head a day or so ago when Mozilla released 31.2ESR to internal upgrade so I am waiting for a fix before using the internal upgrader).

Some users in the Fx thread here on this issue are reporting today that after they disabled SSLv3 in Fx that they can't connect to their bank (or to this site via a secure connection). One person found that their bank is still supporting SSLv2! I can't connect here via secure connection unless I enable TLSv1 and that is OLD and full of holes. I don't want a secure connection to a forum...bank, yes, forum no so the issue is moot for me but for those who want the entire Internet behind SSL ....well...

"As a web site operator, you should disable SSL 3 on your servers as soon as possible. You need to do this even if you support the most recent TLS version because an active MITM attacker can force browsers to downgrade their connections all the way down to SSL 3, which can then be exploited. In normal operation, SSL 3 shouldn't needed by the vast majority of sites. Although it's likely that there's a long tail of clients that don't support anything better, Internet Explorer 6 on Windows XP is potentially the biggest user segment that still relies on SSL 3. Options are to guide users to manually enable TLS 1.0 (IE6 supports it, but not by default) or upgrade to other browsers. In the short term, it's possible to mitigate POODLE by avoiding using CBC suites with SSL 3, but that involves relying on a certain insecure stream cipher whose name no one wants to mention."

»community.qualys.com/blo ··· e-attack

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

maartena to Mele20

Premium Member

to Mele20
Mele20, you should really learn to relax and take a chill pill. Seriously.

Yes it is serious flaw, No the world is not on FIRE like you claim every time some security breach is found.

I'm sure the TWC folk will get around to it without you screaming at their asses. And as long as they don't, why don't you simply stop using the MyAccount website, or log in just ONCE, setup auto pay, and call it a day. As far as other sites go, they will learn the hard way if they don't fix themselves.

Stop being so paranoid about everything. Please.

And regarding earlier comments regarding this site's security, it really doesn't take a genius to find out information about you, especially on sites like this that plain-texts everything to Google and allows anonymous posting. It's not going to be real hard to find out information about me either.
omghi2u
join:2001-02-05
.

omghi2u

Member

said by maartena:

Mele20, you should really learn to relax and take a chill pill. Seriously.

Yes it is serious flaw, No the world is not on FIRE like you claim every time some security breach is found.

I'm sure the TWC folk will get around to it without you screaming at their asses. And as long as they don't, why don't you simply stop using the MyAccount website, or log in just ONCE, setup auto pay, and call it a day. As far as other sites go, they will learn the hard way if they don't fix themselves.

Stop being so paranoid about everything. Please.

And regarding earlier comments regarding this site's security, it really doesn't take a genius to find out information about you, especially on sites like this that plain-texts everything to Google and allows anonymous posting. It's not going to be real hard to find out information about me either.

I wouldn't waste your breath any longer on this guy. Just add him to your ignore list like I just did.

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

maartena

Premium Member

said by omghi2u:

said by maartena:

Mele20, you should really learn to relax and take a chill pill. Seriously.

Yes it is serious flaw, No the world is not on FIRE like you claim every time some security breach is found.

I'm sure the TWC folk will get around to it without you screaming at their asses. And as long as they don't, why don't you simply stop using the MyAccount website, or log in just ONCE, setup auto pay, and call it a day. As far as other sites go, they will learn the hard way if they don't fix themselves.

Stop being so paranoid about everything. Please.

And regarding earlier comments regarding this site's security, it really doesn't take a genius to find out information about you, especially on sites like this that plain-texts everything to Google and allows anonymous posting. It's not going to be real hard to find out information about me either.

I wouldn't waste your breath any longer on this guy. Just add him to your ignore list like I just did.

She is a she. Her name is Marilyn :P