Spanish election site in security cert warning screwup snafu

Monday 13th April 2015 10:05 GMT Dan 55

Must... not... get... angry...

There's enough security problems with Spanish government websites to give security researchers work for a lifetime. They seem to still think it's acceptable that their websites work on IE6 on XP and everyone else can get knotted. There are still government websites out there that manage to use both ActiveX and Java.

It's the FNMT (their equivalent of the Royal Mint or US Mint) that issues Spanish certificates, yet they're not really set up as a CA. They've been trying to get CA status for Firefox for 7 years...

https://bugzilla.mozilla.org/show_bug.cgi?id=435736

This means you have to mess about installing root certificates and maybe certificates specific to the government website you're visiting *. This is the problem mentioned in the article.

Another thing, in Firefox you have to tone down the security to make things work (signed.applets.codebase_principal_support in about:config).

Every time the tax return comes round some horrible Java abortion which doesn't work is foisted on the populace and the website is unable to cope with the load. You either have to scour Internet forums to find out what version of Java and browser you have to roll back to so it does work or go and see them personally, which is what online stuff is supposed to avoid.

And when Oracle makes Java's security policies stricter everything stops working for months too. Hey, how about following best practice from the beginning?

This is what happens when big consultancies in with the government pocket the cash and then give the work to new graduates which are cheap.

Rant over.

* Yes, you have to download the certificates insecurely.

2 0 Reply
1. Monday 13th April 2015 11:09 GMT Mephistro
  
  Re: Must... not... get... angry...
  
  Been there, done that, and I totally agree with you. Spanish govt. webpages are total rubbish, seemingly coded and maintained by -quite inept- interns. Standards compliance seems to be an exotic concept for these guys and the Java apps are simply terrible.
  
  One of my clients was unable to fill a tax form -IVA(VAT) return- in time due to this and was correspondingly fined. After a complaint and lots of paperwork he got his money back. It only took him almost two years. :-(
  
  The good side is that every year I earn some tidy €€€ fixing these issues in my clients machines. You know, the 'Broken Window' and all that stuff. ;-)
  
  1 0 Reply
  1. Tuesday 14th April 2015 09:02 GMT JDC
    
    Re: Must... not... get... angry...
    
    On the other hand, I sorted out my "Borrador de la Renta" in about 10 minutes, which included having to update my daughter's DNI. So it's not all doom and gloom.
    
    1 0 Reply
Monday 13th April 2015 10:27 GMT Anonymous Coward

Ha!

I guess if the website was running IIS instead of Apache there would be posts of people jeering MS and telling how MS servers are only used by mouse wielding bottom feeders...

Hats off to SSL Labs, the SSL Server tool is one of the most useful tools for webmasters.

0 1 Reply
Monday 13th April 2015 10:33 GMT SecretSonOfHG

What else could be expected?

A note: from @Dan55 post, someone could infer that Spanish IT governance has gone downhill due to an overall IT clueless government surrounded by corruption scandals. Corruption may have gone worse in the last decade or so, but much before that the way of doing IT has been always the same: hand over the contract to some outsourcing "partner" that is big on buzzwords, close to the governance body, and weak in knowledge. Not necessarily big consultants, by the way, although they have their fair share of the pie.

If you want other nice examples of this kind of incompetence, the city of Madrid is chock full of them. From bike-sharing kiosks that took two months to reach a state of half-working (contract awarded to a supplier whose experience was in managing a bike fleet a tenth of the size of Madrid) to the parking meters: at 6K each unit, they reboot themselves for each ticket they issue.

One suspects of revolving doors working full time now that election time is coming.

3 0 Reply
Monday 13th April 2015 11:47 GMT Anonymous Coward

It's issued by FNMT the root CA by law in Spain.

Just get your CA certs. You are asked to do it when you are issued your FNMT certificate in Spain.

https://www.sede.fnmt.gob.es/descargas/certificados-raiz-de-la-fnmt

0 1 Reply
1. Monday 13th April 2015 12:21 GMT Dan 55
  
  Indeed they are root CA by law in Spain. You'd think that would mean they could show Mozilla that they're audited but they can't, they've spent seven years trying to get root CA status in Firefox and still haven't got it.
  
  So when you get those certificates for the first time you're not sure where you're getting them from and you have to add a certificate exception. Post-Snowden this is looking incompetent in the extreme.
  
  3 0 Reply
Tuesday 14th April 2015 23:24 GMT Simon Lynch

This was mostly covered above in comments above.

To make one thing clear - pretty much all of the government https sites operated in Spain throw scary warnings in the browser about the certs not being valid. In this case, it is lucky most users ignore then and just click on, but it is a pathetic state of affairs.

In addition, most online services require an installed cert on the computer to actually be able to access them. Although this is not a bad idea in principle, it does involve a lot of faffing around and a physical visit to authorize the digital cert. And if you don't have it backed up and an HDD dies, start from square one (yes, stupid, I know). Banks abandoned this approach in the 90s and seem to have survived. Spain in basically still in last century; lots of big companies on fat IT contracts producing 'mierda'.

@John - happy to push over examples if you would like to have look.

2 0 Reply
Monday 11th May 2015 11:23 GMT Anonymous Coward

Hi All

I have to say I am a bit surprised by all comments being so negative.

Most of Spanish gov sites run smoothly and Spanish eGov statistics are pretty good (see Gartner or CapGemini reports if you like). The Spanish Tax Agency has been a pioneer and remains a reference in Europe.

Spain has one of the most advanced and earlier Law that creates the right of the citizens to electronically communicate with the Public Administrations (Law 11/2007, on citizens e-access to public services).

Spain has got electronic legal instruments with no equal in Europe. For instance, we massively use electronic seals for Public Administration since 2007! Other milestones are the electronic certificates for legal persons, widely deployed since 2003, that make electronic life easier for our firms.

Spain has been key in the negotiation of the EU Regulation 910/2014 on eID and trust services.

Spain is the second European market for electronic certificates (see European Trusted List if you want to learn something (https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-hr.pdf).

In conclusion, I kindly ask you to be a bit more respectful, and show facts instead of just complain.

I have been visiting other EU e-Gov sites for years and they have no advantage, on the contrary many times (never mind English user/password crappy sites).

@Simon Lynch: the physical visit to authorize a digital cert is a legal imperative of Directive 1999/93/CE if the cert is to be qualified. No Spanish brilliant idea there, but the assumption that in order to achieve qualified signature (equivalent to handwritten) you need that (plus a SSCD).

Thanks.

0 0 Reply