Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Intercepting Southern California Gas Company user credentials... (socalgas.com)

From: Kristian Erik Hermansen <kristian.hermansen () gmail com>
Date: Fri, 21 Aug 2009 13:40:07 -0700
...should be pretty easy ;-)  Company has been notified many times
privately of this issue, but they appear incompetent.  Time for public
shaming.
"""
$ sslscan myaccount.socalgas.com | grep NULL
    Accepted  SSLv3  0 bits    NULL-SHA
    Accepted  SSLv3  0 bits    NULL-MD5
    Accepted  TLSv1  0 bits    NULL-SHA
    Accepted  TLSv1  0 bits    NULL-MD5
"""

NULL cipher SSL/TLS presents the illusion of security and customers
should be aware that their credentials are easily intercepted.  Wanna
shut off someone's gas in Los Angeles?  :-)
-- 
Kristian Erik Hermansen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: