Asus Server is Vulnerable to Attack!

[Michael McAllister]

Reached out to JJ about this via Twitter DM.  Just giving everyone warning.

 

 

https://www.ssllabs.com/ssltest/analyze.html?d=asus.com&s=103.10.4.216

 

I'm a bit surprised to be honest.  Given that Asus makes some of the most popular networking hardware and sites are being hacked frequently, I'd expect them to take security a bit more seriously than this.  Disappointed.

[TheGamingBarrel]

Given that half the pages don't scroll properly, I am not surprised.

[Guest Kloaked]

Given that half the pages don't scroll properly, I am not surprised.

 

Or actually load for that matter.

[Ceatra]

Given that half the pages don't scroll properly, I am not surprised.

 

Or actually load for that matter.

I like asus, but I have to approve this

[Jade]

I don't think you quite understand what the point of SSL is. There's very few downsides, sure, but there's not really all that much of a reason to SSL a site filled with product pages and information.

 

In fact; there's actually very little, if any correlation between a site being hacked and SSL, so...

 

SSL != server security.

[Michael McAllister]

I don't think you quite understand what the point of SSL is. There's very few downsides, sure, but there's not really all that much of a reason to SSL a site filled with product pages and information.

 

In fact; there's actually very little, if any correlation between a site being hacked and SSL, so...

 

SSL != server security.

 

This issue is present on customer information pages as well.  If you have an Asus account, you can verify this.

 

Encryption in and of itself does not make something secure.  It is part of it, however.  If keeping software up-to-date is necessary on consumer devices, the same standard should apply to servers of multinational corporations.  Asus has the resources to fix this.  There is absolutely no excuse for it!

 

Another vital part to company security is making sure a policy is in place that is security-focused (which is likely what you're referring to).  Not storing passwords in plaintext, restricting the software that employees have access to, using standard user accounts, etc.

[Jade]

 

This issue is present on customer information pages as well.  If you have an Asus account, you can verify this.

 

Encryption in and of itself does not make something secure.  It is part of it, however.  If keeping software up-to-date is necessary on consumer devices, the same standard should apply to servers of multinational corporations.  Asus has the resources to fix this.  There is absolutely no excuse for it!

 

Another vital part to company security is making sure a policy is in place that is security-focused (which is likely what you're referring to).  Not storing passwords in plaintext, restricting the software that employees have access to, using standard user accounts, etc.

 

Ah, my apologies. I had no idea they have a user system for their entire site (that said, I have no idea why they do. But I guess that goes hand in hand with not even knowing why they have one.)

tl;dr: my bad, sorry

[Michael McAllister]

Ah, my apologies. I had no idea they have a user system for their entire site (that said, I have no idea why they do. But I guess that goes hand in hand with not even knowing why they have one.)

tl;dr: my bad, sorry

 

No problem.  From the SSL report, one IP seems to be okay.  I believe this is the Asus login portal as Chrome does not report any issues with it.  Once the user logs in, however, the user is transferred to a page containing an outdated cipher suite.  This page has customer forms.  The outdated cipher suite warning from Chrome lead me to run the SSL test.