Broadband provider and website security: bizarre?

Server Config
1

Hi,
I must admit I don’t know too much about security in general, but my friends and I are mystified by something someone we know is claiming.

She has joined broadband service “X” (I don’t want to say who unless it’s really important). She says the engineer who came to her house confided in her that X is “the least secure of all the broadband providers” and that “websites like ebay and amazon have beefed up their security lately with new technology and the X network is too outdated to handle it properly”.

Now us 3 geeky types are completely confused. We have tried to ask questions to understand what she could mean. If she is right then surely that would be something anyone concerned with web security should know (I do design websites and obviously have one of my own, although I’m no security expert).

The possibilities I could think of were (in no special order):

  • he was talking about a browser that comes with the service. She mentioned AOL (although that’s not the broadband provider) and I picked up on that and queried if he maybe meant the AOL browser. We are used to security holes in browsers (thinking of IE). Unfortunately my friend doesn’t understand the difference between a browser, an operating system and the internet, so this line of enquiry got nowhere.

  • he was talking about wireless router security and encryption keys etc. I know some networks are notorious for using the same default passwords for everyone or perhaps their routers are out of date (using WEP for example). But if that’s the case she shouldn’t worry because she has bought her own brand new router anyway, and between us we could help her set it all up properly. However, provider X recently won an award for the security that they have on their wireless routers, so it’s probably not that.

  • something to do with https? But that’s not “new technology”. And I’m hazy on the details but I thought the point was that the packets of data were encrypted. Then I remembered “secure sockets” and wondered if there was somewhere other than the server and the client where there could be a security hole. I know I should know all this, but it’s not something I’ve thought about in ages (none of the sites I have been working on lately need so much as a login form, and I’ve been up since 3am anyway).

  • some kind of crazy newfangled html5 webby stuff? No, I can’t think why. But it’s “new technology”.

  • something to do with ajax. She did mention “speed”. But no “broadband provider” is going to be THAT slow are they? And ajax is just a method of doing things. And it’s not really “new technology”. Security holes would be down to vulnerabilities in the script rather than the broadband provider’s technology, wouldn’t they?

Look I know this is really vague and no, it probably makes no sense whatsoever. There’s obviously a chance that this “engineer” was talking rubbish. But my friend is now CONVINCED that this must be absolutely true and her broadband provider is rubbish and really “insecure”.

Does anyone out there know of ways in which the broadband provider can affect website security (in the sense of a user making online purchases, not in the sense of someone hacking your website per se)??? Other than dodgy old routers with out of date wireless encryption or dodgy out of date browsers?

It seemed to me like this was actually something worth knowing if she is right.

Sorry for being so fluffy about all this but this has 3 of us stumped, all with different experience and expertise. :blush:

If anyone can make any sense out of “new technology” “increased security” and “no point because my broadband provider is so out of date and insecure” we would love to hear it. Even if it’s only a guess … !

2

It sounds like the engineer didn’t really know what he was talking about, or just worded it exceptionally badly.

You could try searching for that provider (especially looking at forum posts) and see what you find. It could be a load of nonsense, or it could be something very serious.

3

yeah, I did a really brief search earlier and all I came up with was that they won an award for their wireless security. I’ll do a more specific search in an hour or two.

Your thoughts are essentially the same as mine - either the engineer was talking rubbish OR it’s something REALLY SERIOUS.

The only reason it’s become such a hot topic is that my friend now has a bee in her bonnet and essentially has a fixed idea in her head that the engineer is the expert and must be right. So because none of us are actually experts in web security, we just have to back off after a point as the only option left is to say “look he doesn’t know what he’s talking about”.

A lot of the time the broadband people who come to your house have just done a short course themselves. OR they get the inside track … perhaps … I should think ebay would want to know … !

4

hmm … I’ve been looking, and what does seem to be the case is this:

broadband provider X offers a service called “X Online Security” which is essentially antivirus software / firewall. This is made by F-secure.

(yes that’s enough to find out who X is if you care).

Around 2005 or 2006 there was a security flaw in F-secure software and they issued a patch. Symantec had done the same a couple of months earlier.

Last year (2010) there were XSS vulnerabilities found on the F-secure website, as well as some other security companies.

Put all this together and I guess the engineer was talking about an antivirus product, NOT the broadband. And his information was out of date - maybe something he learned when he trained. Or he has heard about these things but not understood them.

Garbled tales out “technology not updated” probably means something like they update their virus definitions later than eg Norton. You can look up tables of that stuff to see who tends to be first off the mark when a new virus hits. But it’s not exactly world-stopping stuff.

Say they are a little slower at updating virus definitions. That doesn’t bring the whole security of the internet into question. It doesn’t have anything to do with the coding of ebay’s website. It’s possibly true but I have yet to find any evidence of it anyway.

This is my working hypothesis at the moment.

Unfortunately without any other key terms to search for I’m afraid The Google just comes up with endless fluff. The only “problems” people seem to have with the “X Online Security” seem to be fluff caused by not knowing how to use their computer (at a fairly basic level).

Unfortunately my friend has managed to get herself really worked up about this and I doubt I will be able to get her to change her mind.

LATER: so much for that theory. I have been reading the pdfs comparing AV software on this site http://www.av-comparatives.org/index.php and F-secure consistently gets their top ranking of 3 stars.

It seems the engineer was talking rubbish. I would certainly think one of the knowledgeable people here would have been able to think of something straight away otherwise.

To be honest if it was a forum rather than physical reality I would probably have just told our friend that straight away. But in Real Life one tends to be less … direct … !

5

Well, that sucks. I was looking forward so some juicy tech gossip. Eh well, my quest lives on for another day… :lol:

Well its good to see nothing has come up so far. If the problem was serious, it would most likely have been noted by users. If anything DOES appear to be flawed, let us know so us at Sitepoint could be aware of them.

Regards,
Jake

6

me too, half expected there to be some really nerdy explanation about phone exchanges or something.

yes, and the deafening silence really speaks for itself. Unless a scandal breaks about this soon I think it’s fairly safe to assume that this is not true.

Quite possibly it was just the equivalent of someone saying “of course Norton is much better than Kapersky because [insert opinion here]” only they were talking to someone who (seriously) spent 10 minutes insisting to me that they don’t have an operating system installed on their computer (I was trying to help them work out why they couldn’t get online), and then 2 minutes later reacted angrily to me mentioning there were some issues with XP (I had wanted to check she had the service pack) with “I’ve got Windows 7!!!”

You couldn’t make it up. You really, really couldn’t. Bless her, :lol: