Fwd: Re: Government of Mauritius website allows weak security from Ish Sookun on 2015-06-29 (Mauritius Internet Users mailing list)

From: Ish Sookun <ish_at_hacklog.in>
Date: Mon, 29 Jun 2015 16:02:01 +0400

Sorry. I missed the mailing list earlier.

-------- Forwarded Message --------
Subject: Re: Government of Mauritius website allows weak security
Date: Mon, 29 Jun 2015 14:30:32 +0400
From: Ish Sookun <ish_at_hacklog.in>
Reply-To: ishwon_at_openSUSE.org
To: S Moonesamy <sm+mu_at_elandsys.com>

Hi SM,

On 6/29/15 1:38 PM, S Moonesamy wrote:
>
> The document about "Proposed Standard" is at
> http://www.rfc-editor.org/rfc/rfc7127.txt

Yes, thanks. It mentions "updates 2026".

>
> The following is from a Supreme Court document in which you are
> mentioned: "He went on to explain that it is possible to have access to
> the MNIS database through a proxy attack – which is an indirect attack –
> via the government portal". What level of security would someone
> recommend for https://www.govmu.org ? How about the level of security
> recommended for https://mail.govmu.org ? For the average user, security
> might be about seeing the "padlock" or "https" in the address bar of the
> web browser. Is that a reason to ignore RFC 7465? :-)
>

That would be a good reason for not giving biometric data to the
government :-) www.govmu.org responds from 202.123.27.113 and
mail.govmu.org responds from 202.123.27.102. Both of them accept
TLS_RSA_WITH_RC4_128_MD5.

I mentioned that one applies RFC 7465 unless there is a reason for not
doing so. Does the government have one? Hmm. It should be asked to the
related government agency.

While developing a proxy solution for a customer, I came across a
serious bottleneck whereby the customer was using Internet Explorer to
access HSBC Online Banking. If I'd cut off SSL support the customer
could no more access online banking. The temporary solution was to show
a disclaimer to the customer's users that the transaction might not be
secure enough because of SSL support.

In the earlier email, I mentioned MCB Internet Banking (ib.mcb.mu)
supports TLS_RSA_WITH_RC4_128_MD5. I would expect the Mauritius
Commercial Bank to be more security conscious than government agencies.

Thanks for mentioning the Bar Mitzvah Attack :
https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf

Regards,

-- 
Ish Sookun
- Geek by birth, Linux by choice.
- I blog at HACKLOG.in.
https://twitter.com/IshSookun ^^ Do you tweet?

Received on Mon Jun 29 2015 - 12:02:21 PST

This archive was generated by hypermail 2.3.0 : Mon Jun 29 2015 - 12:09:02 PST