SANRAL e-toll website portal - Outdated HTTPS Security Settings

Ivan Leon

Honorary Master
Joined
May 27, 2008
Messages
14,812
Reaction score
14,687
Location
Planet Earth, 3rd Rock from the Sun
Looks like SANRAL haven't learnt their previous lessons about valid HTTPS security certificates for their e-toll website portal, despite numerous breaches before, and are still using TLS 1.0.

I wonder who they will blame this time? - Jan van Riebeeck again?

2015-03-11 SANRAL HTTPS Certificate.jpg


TLS 1.0
TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0.
As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0".

TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security.

TLS 1.1
TLS 1.1 was defined in RFC 4346 in April 2006.
It is an update from TLS version 1.0. Significant differences in this version include:

Added protection against cipher-block chaining (CBC) attacks.
The implicit initialization vector (IV) was replaced with an explicit IV.
Change in handling of padding errors.
Support for IANA registration of parameters.

TLS 1.2
TLS 1.2 was defined in RFC 5246 in August 2008.
It is based on the earlier TLS 1.1 specification. Major differences include:

The MD5-SHA-1 combination in the pseudorandom function (PRF) was replaced with SHA-256, with an option to use cipher suite specified PRFs.

The MD5-SHA-1 combination in the Finished message hash was replaced with SHA-256, with an option to use cipher suite specific hash algorithms. However the size of the hash in the finished message is still truncated to 96 bits.

The MD5-SHA-1 combination in the digitally signed element was replaced with a single hash negotiated during handshake, which defaults to SHA-1.

Enhancement in the client's and server's ability to specify which hash and signature algorithms they will accept.

Expansion of support for authenticated encryption ciphers, used mainly for Galois/Counter Mode (GCM) and CCM mode of Advanced Encryption Standard encryption.

TLS Extensions definition and Advanced Encryption Standard cipher suites were added.

All TLS versions were further refined in RFC 6176 in March 2011 removing their backward compatibility with SSL such that TLS sessions will never negotiate the use of Secure Sockets Layer (SSL) version 2.0.

http://en.wikipedia.org/wiki/Transport_Layer_Security
 
I've recently moved up to JHB and I wanted to say this.

**** you SANRAL, you thieving ****ing bastards! I will not pay a dime for e-tolls.
 
Be careful. Pointing out things like this is classified by SANRAL as a "cyber-attack" and they may try to track you and take legal action against you. They have set a precedent for this behaviour.

Last time I heard, it is perfectly fine as long as you don't change the URL :whistling: - I think Moe1 got into trouble since she disappeared after all the news.
 
I do so hate going against the grain...but this is the site in my browser (viewing it from overseas for now)
Identify verified by Starfield technologies, certificate valid from 4/9/2014 to 4/9/2017 and TLS1.0
Maybe man in the middle, is in the middle for you.
sanral.jpg
 
I also have Starfield and TLS 1.0. (from Webafrica connection)
 
Jan van Riebeeck in the middle...
 
Top
Sign up to the MyBroadband newsletter