UPDATE ISP PlusNet Criticised for Using Unsecure Broadband Signup Form

Broadband ISP PlusNet, which is owned by BT, has become the latest Internet provider to face criticism today for lax security after it was revealed that their registration form for new customers doesn’t sit behind a secure web (HTTPS) connection and is instead transmitted without encryption.

In theory this vulnerability, which was spotted by The Register, means that any personal details you enter into the form might, albeit only under the right conditions, be exposed to a hacker. For example, attempting to sign-up while using a public wifi hotspot might not be advisable (i.e. a man-in-the-middle attack could potentially extract your details).

ISPreview.co.uk can confirm that the form (e.g. http://www.plus.net/signup/about-you/), which we just attempted to use ourselves, does indeed appear to exist on an ordinary HTTP instead of HTTPS (Hypertext Transfer Protocol Secure) connection.

However it would take a much more specific hack for the information to actually become accessible and indeed many online website forms still don’t use HTTPS due various issues, although you expect better from big commercial companies. Something as important as a form for signing up with your ISP, where real personal details are a requirement (no fake names etc.), should ideally be more secure.

As a rule you should never sign-up to any service on a network or device that is not controlled by yourself, which minimises the chances of your data being leaked to hackers. In this instance there’s also no evidence that PlusNet’s security (or lack thereof) has actually been breached so existing customers need not panic.

Never the less we have asked PlusNet to explain why they’re not putting such sensitive personal details behind an HTTPS page (most but not all commercial ISPs tend to do this) and are awaiting a reply.

UPDATE 11:37am

A spokesperson for PlusNet has told us that “all Plusnet customer passwords are stored with full encryption. Our customer sign up page is currently unencrypted, and we are in the process of fixing this urgently.”