Bletchley Park Trust vows to shore up insecure website

??

"It's fair to say that we are dealing with a national heritage/museum website, rather than a bank. But it's not unreasonable to suggest that those behind the site should be setting an example for similar businesses, in honour of the heroic security legacy they celebrate."

That heroic security legacy was of course the breaking of codes through exploiting weakness in ciphers, and automating the exploiting - seems fitting that their own website has a weakness that can be exploited, no?

Went to website.

Found out what CMS platform they're using.

Made a mental note never to use that platform.

I've seen far worse

The "F" grade at SSLLabs is due to the same certificate being hosted on a web server elsewhere (this may be their backend server, they are behind Cloudflare) with SSLv2 and export grade (deliberately weakened) ciphers supported. The certificate has a SHA1 intermediate certificate in the chain, so they will need to update it anyway before the major browsers start giving warnings early in the new year[1]. Doing this will help to mitigate the problem, no need for an entire new web site. They should also be either getting the 2nd server turned off, if it is unused, or better secured if it is their backend server.

[1] https://community.qualys.com/message/35468-sha-1-deprecation-countdown

Almost as bad...

...as a website for new used by many involved in IT and that doesn't use https so is open to all sorts of malicious code injection to the potential detriment of its IT using crowd.

when no https you can't get some of those bugs - but anyone can play with the traffic between the sender and reciever

if you think that a site with an A rating from ssllabs is good

you should stick that same site into securityheaders.ie

Dead now?

Is it just me or has someone set fire to the site and it's just a smoking pile of ruins?