On Mon, Jun 29, 2015 at 4:02 PM, Ish Sookun <ish_at_hacklog.in> wrote:
> Sorry. I missed the mailing list earlier.
>
> -------- Forwarded Message --------
> Subject: Re: Government of Mauritius website allows weak security
> Date: Mon, 29 Jun 2015 14:30:32 +0400
> From: Ish Sookun <ish_at_hacklog.in>
> Reply-To: ishwon_at_openSUSE.org
> To: S Moonesamy <sm+mu_at_elandsys.com>
>
> Hi SM,
>
> On 6/29/15 1:38 PM, S Moonesamy wrote:
>>
>>
>> The document about "Proposed Standard" is at
>> http://www.rfc-editor.org/rfc/rfc7127.txt
>
>
> Yes, thanks. It mentions "updates 2026".
>
>>
>> The following is from a Supreme Court document in which you are
>> mentioned: "He went on to explain that it is possible to have access to
>> the MNIS database through a proxy attack – which is an indirect attack –
>> via the government portal". What level of security would someone
>> recommend for https://www.govmu.org ? How about the level of security
>> recommended for https://mail.govmu.org ? For the average user, security
>> might be about seeing the "padlock" or "https" in the address bar of the
>> web browser. Is that a reason to ignore RFC 7465? :-)
>>
>
> That would be a good reason for not giving biometric data to the
> government :-) www.govmu.org responds from 202.123.27.113 and
> mail.govmu.org responds from 202.123.27.102. Both of them accept
> TLS_RSA_WITH_RC4_128_MD5.
>
> I mentioned that one applies RFC 7465 unless there is a reason for not
> doing so. Does the government have one? Hmm. It should be asked to the
> related government agency.
>
I think that there is a problem if the government is not following
Best Practices when it comes to Internet Security, in a systematic
way. Does the government participate in the IETF, and attempt to
follow best practices ? I haven't met a single guy doing it. They are
more interested in ITU :)
> While developing a proxy solution for a customer, I came across a
> serious bottleneck whereby the customer was using Internet Explorer to
> access HSBC Online Banking. If I'd cut off SSL support the customer
> could no more access online banking. The temporary solution was to show
> a disclaimer to the customer's users that the transaction might not be
> secure enough because of SSL support.
>
Well, we have to be precise when we speak about ciphers and the
transport layer. I can cut off SSL support and allow only TLS, and
with a recent version of Internet Explorer I would still be able to
connect securely.
"might not be secure enough because of SSL support" is pretty vague
from an engineering point of view ...
> In the earlier email, I mentioned MCB Internet Banking (ib.mcb.mu)
> supports TLS_RSA_WITH_RC4_128_MD5. I would expect the Mauritius
> Commercial Bank to be more security conscious than government agencies.
>
Both need to be equally secure, in my humble opinion. Given the huge
amount of money spent to "redesign" the website, I expected better.
> Thanks for mentioning the Bar Mitzvah Attack :
> https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf
>
>
> Regards,
>
> --
> Ish Sookun
>
> - Geek by birth, Linux by choice.
> - I blog at HACKLOG.in.
>
> https://twitter.com/IshSookun ^^ Do you tweet?
>
>
>
Received on Mon Jun 29 2015 - 12:49:38 PST