Category Archives: govmu

Government of Mauritius website allows weak security



govmu.org

A few days ago, Sruti mentioned on the Mauritius Internet Users mailing list that she had problems resetting her password on the Mauritius Government website.

Out of curiosity, I decided to check if the login works correctly. While working on this, I made an interesting observation: The connection offered on the website is weak, in terms of security !

By observing the SSL connection on my smartphone I came across a weak encryption offered by m.govmu.org, which is mobile version of the government of Mauritius website. Stunned by this discovery, I also check the PC-version of the government website and noticed that It also offers the same weak encryption.

SSL handshake has read 2749 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
...
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5

The govmu.org website allows RC4-MD5 which is considered to be weak encryption, according to RFC7464 . The document, which is now a standard on the Internet, recommends removal of RC4 as an encryption mechanism, due to practical attacks demonstrated against it.

Implications for Mauritian Citizens

It is possible to intercept and decrypt sensitive Information that a user sends to the Mauritius Government website, as it is. It is possible to set-up a practical attack, under certain circumstances. This is more dangerous, as more and more people are using wifi which magnifies the problem.



--Logan