O2

I'm not too concerned about the O2 Community pages being delivered over an HTTP connection, although some other sites enforce HTTPS for their own Community. It's the critical areas of the O2 website that use HTTPS that need attention, because the presence of "https" in the address and the green padlock implying a safe and secure connection are both misleading if the protocols and cipher suites involved are 20 years old and have been superseded. Which, apparently, is the case on the O2 servers.

Running a Qualys scan for each area of the O2 site that claims a secure connection (accounts, login, others) should give a clear picture of the strengths and weaknesses of the site as far as secure connectivity goes.

Here is the Qualys summary for accounts.co.uk (report is at https://www.ssllabs.com/ssltest/analyze.html?d=accounts.o2.co.uk). The note about being vulnerable to POODLE attack does not appear on the report for identity.o2.co.uk, nor does the note about Diffie-Hellman key exchange parameters. And yet the server IP address is apparently the same for both. It may be that we need to see a collection of these Qualys reports to get the full picture.

It might also help to make a record of security warnings issued within different browsers. Firefox has both Page Info and Web Console, which will provide complementary sets of information; depending on the security settings within Firefox you may also pick up connectivity warnings and errors such as this one.

@Anonymous, thanks for the response and the PM.

The website itself should have a link to enable site problems to be reported, which would have saved a lot of time and effort. O2 is not alone in overlooking the need for technical feedback; even the OU website currently lacks that feature.

I hope O2 improve their IT security, because as things stand there are some serious deficiencies.

In my second post (message 5 in the thread) I was wrong when I said ".. the server IP address is apparently the same for both." If you look at the Qualys output you'll see this is not so. O2 has allocated different parts of the visible website to several servers, which is why the Qualys results for accounts.o2.co.uk and identity.o2.co.uk are not identical. This perhaps makes the site more robust - if one server goes down it should not cripple the whole site (unless that server is handling logins) - but it will make improving security across the site more complex, because any changes must be replicated across several servers.

Ironically, the server hosting the O2 Community is better secured than those handling supposedly "secure" functions - note especially the bottom line in this screenshot. It ought to be possible to upgrade the connection to the Community pages to HTTPS, which would bring O2's Community into line with the Communities of some other major companies.

https://www.ssllabs.com/ssltest/analyze.html?d=community.o2.co.uk

There are plenty of other security scans I could run on this site and the the O2 servers, but the basic point has been made and MarinaP has pinged the appropriate people so maybe something will be done to fix the security lapses. I certainly hope so.