Skip to content
Skip to main content

  • Home

curtisv's profile
curtisv

New problem solver

 • 

26 Messages

Thursday, February 9th, 2017 6:00 AM

SSL/TLS on Comcast support web forums

There are issues with comcast support forum sites authentication through servers that are supporting very old and very insecure SSL.TLS versions.  This seems to be just an oversight in not upgrading software on those web servers.

 

Just a reminder- Fairly early in the web's widespread adoption, February 1995, Secure Socket Layer (SSL) version 2 (SSLv2) was defined. Version 1 was never published due to serious security flaws. In 1996 SSL version 3 (SSLv3) was defined to address flaws discovered in SSLv2. SSL was replaced by Transport Layer Security (TLS). TLS 1.0 was published in 1999, TLS 1.1 in 2006, and TLS 1.2 in 2008. TLS 1.3 is expected to be published in 2017

 

Please take a look at:

https://www.ssllabs.com/ssltest/analyze.html?d=login.comcast.net&latest

https://www.ssllabs.com/ssltest/analyze.html?d=pingsso.lithium.com&latest

 

These rate two web servers referenced when posting to these forum.  The first is comcast run and has poor security.  It does use TLS 1.2 but with limited FS ciphers.  The second is referenced for some reason and supports only TLS 1.0 and SSLv3 (SSLv3 should be completely depricated by now) and supports only one known vulnerable cipher.

 

The latter is the more sever problem and would be fixed more quickly (by lithium) is comcast support as a lithim paying customer put in a ticket with lithium.  Right now only TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (No FS) is supported which is vulnerable to the POODLE attack (google it or use wikipedia).

 

The bottom line is that with a newer browser set to disable known insecure protocol versions and ciphers, it is not possible to post to the forums.  These settings will become more common.  I'm using a laptop with an older browser to post here.

 

Curtis

 

Question

 • 

Updated 

8 years ago

3.8K

2

0

curtisv

New problem solver

 • 

26 Messages

8 years ago

A bit of an update.  If you try to connect to forums.businesshelp.comcast.com with HTTPS you will notice that there is no connection on port 443.  See SSL Labs eval of forums.businesshelp.comcast.com for example or just try to connect to https://forums.businesshelp.comcast.com .

 

There is a slight change in behaviour.  I can now connect and submit to this forum if I've logged in via business.comcast.com and I enable TLS 1.0 (moderately insecure, but..).  This didn't work before but if HTTPS was dropped then it may not be tripping on a XSS (cross site scripting) browser security check.

 

Its worth noting that SSL Labs eval of business.comcast.com is rated B->F due to having RC4 and DES_CBC enabled (both insecure).

 

Someone at comcast needs to review their security settings on the web servers.  If using apache its SSLProtocol, SSLProxyProtocol, and SSLCipherSuite .  For services like the forum hosted by lithium.com, Comcast needs to complain to lithium and get this fixed.  The pingsso.lithium.com eval problem and lack of HTTPS on the forum site are lithium.com problems.

0

0

skymeat

New problem solver

 • 

39 Messages

8 years ago

Yeah it's bad. I've tried to get someone to take notice before.

0

0