Thanks To Bauer-Power, Prison Planet is More Secure!

The other day I wrote about how the SSL implementation of Alex Jones's PrisonPlanet.tv was not done properly, so the website was vulnerable to attacks like CRIME or BEAST. Well apparently a few people sent that article to Alex's team and they promptly fixed it (Well most of it).

Now PrisonPlanet.tv has an 'A' rating from SSL Labs!

I say it is mostly secure because they still have SSL 3.0 enabled and haven't changed the protocol priorities to put RC4 128 bit encryption first, or remove all other protocols except RC4 128 bit encryption. That means that they are technically susceptible to the BEAST attack.

Alternatively to mitigate against the BEAST, they can disable TLS 1.0 and below, but then that would limit what browsers could access their site, and probably wouldn't be a great idea for a web media company.

Still though, the BEAST attack is very difficult to perform. According to a white paper from ISecPartners:

The actual attack is likely very difficult because of the browser's enforcement of the SOP [Same Origin Policy], but it is possible that some web technologies provide a mechanism for cross-domain communication.

In short, the chance of that attack is unlikely, so the changes Alex's team has done is probably good enough for now.

Anyway, I'm glad I could have helped in a small way to make the Prison Planet community more secure so we can all continue to fight in the Infowar!

Related articles

• How Secure is Alex Jones's Prison Planet? Not Very
• Strong SSL Security on nginx
• Strong SSL Security on Apache2
• TLSv1.1 and TLSv1.2 now available in RHEL