Reply to post: Re: What happened to

TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief

dajames Silver badge

Re: What happened to

Talk Talk is (supposed to be) a professional company operating in the IT arena and, as such, should have been perfectly well aware of the risks by taking the decision not to encrypt data..

Unfortunately, being "a professional company" is no protection from incompetence.

The TalkTalk we're talking about here is a company that doesn't support SSL connections to its mailservers, for instance, even though other ISPs increasingly mandate SSL. It's hard to believe that they have any clue at all when it comes to security.

See, for example:

(It says there that they don't support SSL on outgoing connections, but that they use port 587, which is usually used for secure SMTP rather than port 25. WTF?)

I also noticed, recently (don't ask why) that a TalkTalk mail server negotiated an SMTP connection to another ISP's server using SHA-1 and RC4, both of which are deprecated and insecure. It's not the fault of other ISP (which happened to be AOL, so not a paragon itself) as they happily negotiate encryption using SHA256 and AES256 with other ISPs.

TalkTalk really seem to have no clue at all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021