Something I noticed at the weekend when I tried to log on to O2, and it also happened earlier. I don't have a screenshot, but Firefox failed to connect to O2, bringing up an error page with a message about "incompatible protocol". Strangely, it's not consistent : sometimes I can go through the login process without a hitch.
This must be a result of the change in Firefox 39, when support for SSL 3.0 was dropped. Firefox expects secure connections to use TLS 1.2, although it will allow downgrading to TLS 1.1 or 1.0
The secure elements of the O2 site don't use TLS 1.2; Firefox and Chrome show they're using 1.0 instead. The same applies to other browsers, from IE8 to the new Microsft Edge. In addition, Chrome (click on the green padlock to show the connection information) says, for example, "Your connection to accounts.o2.co.uk is encrypted using an obsolete cipher suite".
The login problem is caused by a failure to connect to identity.o2.co.uk, and so I ran a Qualys check on it. The results confirmed that this part of the site at least was insecure - see the output from the scan at https://www.ssllabs.com/ssltest/analyze.html?d=identity.o2.co.uk
If the same applies to other areas of the O2 site where a secure connection is required that means those areas that deal with account information, purchases and other important matters are potentially using an outdated and hackable protocol. Even TLS 1.0 is considered both weak and vulnerable to hacking.
Someone needs to attend to the website to bring it up to date and fix these security lapses, or sooner or later it could get compromised.
I looked for a way to report this to O2, and found no way to do it. There's nothing on the website to allow you to report a site problem, and unless you have an O2 mobile account the online chat is inaccessible. Even the O2 Facebook page is useless, being filled with PR puffery; anyone trying to ask anything of O2 runs up against what must be one or more lowly Tier-1 techs fending off their enquiries with a set of standard unhelpful responses. O2 is very bad at listening to people, all it seems to want to do is sell some new gizmo or service to you if you have a question or complaint.
In the end I sent a PM about this to Toby (and then discovered he's on holiday) and finally to MarinaP. All I'm concerned with is letting someone know about this who is able to get the attention of the distant suits somewhere upstairs. If this or my PMs do the trick, then good, job done. I've got other stuff I need to be getting on with; it's O2's job to look after its website and stop it being hacked, not mine.
Have a nice day, y'all. I'm clocking off now, it must be nearly rise-and-shine time for normal folks. So head-down-and-sleep time for me 😞
