Poor Website Encryption When Accessed Using iOS Devices

Mobile threat defense provider, Corrata, announced it discovered poor encryption practices on several prominent websites, including Irish telecoms company Eir and German newspaper Bild.  Corrata notified the owners of the websites, who remedied the weaknesses. Other websites likely contain similar vulnerabilities, and Corrata urges website owners to ensure that their encryption aligns with industry best practices.

Not all website implementations of https are equally secure. Some websites use out-of-date versions of the protocol, which are known to be vulnerable to hacking. This practice is particularly risky with Wifi networks because the traffic passing between a mobile phone and a Wifi access point can easily be spied upon. Weak encryption will fail to protect sensitive data such as passwords, financial information, and other confidential data.

The weakness is related to a misconfiguration of the sites’ web servers to favor an old insecure cipher called RC4 when accessed using iOS devices (iPhones and iPads).   Vulnerabilities in this cipher make it vulnerable to hacking, and website owners have been strongly advised not to use it for at least ten years. Maybe worth a check…