Before I get too involved in this let me first say that I am actualy a fan of Alex Jones and his Infowars site, as well as his Nightly News program on PrisonPlanet.tv. In fact, I have a similar website called Mainwashed where I did a video talking about how to read Infowars to get valuable information.
Check it out:
So now you know that I am a fan, and this is not just an attack on Alex or his team. This is simply to point out a major security flaw I noticed the other night when I was logging into PrisonPlanet.tv to check out the Nightly News show. That security flaw is in how Alex's team has implemented SSL encryption when you login to PrisonPlanet.tv or go to sign up for a subscription.
I'm a Network and Security Manager by trade, so one of my duties at the company I work for is to make sure our websites are secure and PCI/DSS compliant. One of the biggest part of that process is implementing SSL/TLS encryption properly. I have written about how to do that in the past for both Windows and Linux servers. Basically, I know what I'm talking about here.
Anyway, when I logged into PrisonPlanet.tv the other night I happened to notice the SSL icon in my address bar. Like I always do, I checked out the certificate information, but I went a step further and ran a test of the website on SSL Labs. The result? Alex's site got an 'F' rating!
CRIME attack or a BEAST attack.
They have a badge from Authorize.net at the bottom of their login page that says they are secure too:
Well that is clearly not the case is it?
If you are new to PrisonPlanet.tv and were planning on signing up for a subscription, you can still do it securely if you use the PayPal option that they offer:
In conclusion, the PrisonPlanet.tv website is not a secure as it could be. Their SSL implementation is vulnerable to various attacks because is allows the use of weak ciphers and key exchange. If you are going to sign up for a subscription, use the PayPal option.
What do you think of this? Let us know in the comments.