Verizon Web Site NOT Secure?
RobLP
Enthusiast - Level 2
The Verizon web site security seems wanting. See this test connection report for www.verizon.com: https://www.ssllabs.com/ssltest/analyze.html?d=verizon.com&s=23.56.10.120 Could someone from Verizon explain what is going on here?? Thanks.
0 Likes
Re: Verizon Web Site NOT Secure?
tns2
Community Leader
Community Leader

A bit sloppy on Verizon's part but not  really insecure. 

The report is based on the fact that Verizon accepts sslv2 connections which is broken.  I guess they just want everyones business even those using very old PC's with very old browsers.  SSLv3 support was added in Netscape 2.x and Internet Explorer 3.x.

But all current browsers are set to not use SSL V2 (internet explorer v7 or later has the option to use it but it defaults to not checked), and so will connect securely.

0 Likes
Re: Verizon Web Site NOT Secure?
RobLP
Enthusiast - Level 2

I appreciate your reply.

1) I still think SSL 2.0 should be disabled on a servers, meaning no connection allowed with its cryptographically broken key negotiation. I realize up-to-date OSs and browsers 'prefer' a better secure connection; however, Verizon (Akamai) servers still allow its use whie best security practices say to disable it.

If Verizon has concerns about refusing a connection to an SSL-2.0-only browser, I recommend using an intercept page to enlighten the customer to their vulnerability, and perhaps suggesting to them/pointing them to a fix-it page. Letting Verizon servers use an insecure protocol seems irresponsible.

2) Regardless of the foregoing, Verizon owes it to customers to eliminate the BEAST vulnerability, which is being actively exploited on the Internet as we speak.

0 Likes