back to article Leading by example: UK.gov's secure server setup is patchy at best

The security of UK government websites is inconsistent, and local authorities are among the worst offenders. Ministers have for years spoken about making the UK "one of the most secure places in the world to do business in cyberspace", one component of which is making government services available online. The government also …

  1. Anonymous Coward
    Anonymous Coward

    Maybe a similar study of websites run by the private and third sectors before chucking stones?

    No it's not great but UK and regional government are really trying to improve the situation. But there is a significant legacy of neglect to overcome.

    1. Anonymous Coward
      Anonymous Coward

      I ran such a test on our own (university-related) web site today and it got an 'F' due to support for weak/depreciated ciphers mostly, otherwise our certificates and lack of known vulnerabilities were fine.

      However, we don't handle sensitive user data (*very* little sign-up info, no financial data whatsoever) and only went to https due to web browsers bitching about the lack of it. That is a big difference compared to most gov sites.

      A/C for obvious reasons.

      Edited to add: The main site that handles student applications gets an A+ rating.

  2. NonSSL-Login
    Meh

    To root or not to root

    It appears the only security angle they look at with .gov sites is it secure from being rooted. Anything else doesn't seem to matter to them except for a working website. The fact that browsers have now started acting on bad SSL setups has exposed the bad config and bitten the admin on the ass.

    Although in other areas I would be happy to don the tin foil hat and say the bad ciphers and config is to make it easier for GCHQ to log data, inject payloads and other shenanigans, these .gov issues are just down to bad administration.

    Also, out favourite el-reg was a long holdout for SSL despite having a login form for users. Hence my username.... It was only when Google said they would list sites lower without SSL that they were forced to move their butt in to gear and add SSL that they did. The bad publicity might be enough to make the gov sites fix ssl issues but a lower search engine ranking might do the job faster.

    1. Paul Crawford Silver badge

      Re: To root or not to root

      "bad ciphers and config is to make it easier for GCHQ to log data, inject payloads and other shenanigans"

      Err, you do know that GCHQ is part of UK gov so they can simply get the data any time they want?

      1. NonSSL-Login

        Re: To root or not to root

        Probably easier and quicker for them to get the info via XKeyscore thanks to Tempora mass collection and it will be up to the second logs compared to synch + database integration once a day or week. But if you read my comment again, you will notice i'm not wearing the tin foil hat in this case anyway, so a moot point.

        However, injecting payloads when the IP of Russian arms suppliers browse badly SSL'ed site....

        1. Anonymous Coward
          Anonymous Coward

          Re: To root or not to root

          If it's anything like any government dept I've worked with - it's probably easier for them to wait for a Russian defector who brings them the information than request it through official channels

  3. DontFeedTheTrolls
    FAIL

    If the government can't even secure the front door to their own websites what confidence can we have that they can secure a backdoor into the encryption of our devices and communications?

  4. Anonymous Coward
    Trollface

    It's only taxpayer's money!

    All those £Bs splurged by GDS and what did we get? A lot of contractors would houses in Tuscany, decent .gov websites not so much.

  5. Anonymous Coward
    Anonymous Coward

    Councils are being squeezed

    It's easy to outsource or cut back on IT services, I mean we don't need them now the computers can turn on right?

  6. EnviableOne

    Try checking the banks first

    Security headers is run by Scott Helme, and Has the backing of Troy Hunt (of haveibeenpwned)

    Troy did a blog post on the major banks, they cant even get the Qualys SSL basics right, so HMRC are ahead of them all, and BCC are ahead of most of them.

    The other issue is calling a local council part of the central government, local councils have a huge funding squeze, Council tax has been on hold for like 10 years, with inflation topping 3% for most of those years, and there central funds being cut considerably, so they have budgets that are less and less and are being pushed to offer more and more

    1. Vince

      Re: Try checking the banks first

      When you say "council tax" has been on hold for like 10 years, what precisely do you mean, because mine has gone up by about 4% every single year, and this year is no exception.

  7. really_adf

    From the article: The government also promotes the secure server setup best practice, not least through a handy guide published by the National Cyber Security Centre here.

    That guide suggests using ECDSA or (strong) DH for key exchange, both of which provide Perfect Forward Secrecy (PFS), but for the latter then seems to suggest you might want to deviate to use PFS. Am I reading it wrong or have I misunderstood something?

  8. Anonymous Coward
    Anonymous Coward

    Ha! An F rating - luxury! My local council can't even get to the starting gate.

    You are here: Home > Projects > SSL Server Test > www.midsuffolk.gov.uk

    SSL Report: www.midsuffolk.gov.uk (46.43.8.74)

    Assessed on: Tue, 20 Mar 2018 17:10:55 UTC | HIDDEN | Clear cache

    Scan Another »

    Certificate name mismatch

    Click here to ignore the mismatch and proceed with the tests

    Try these other domain names (extracted from the certificates):

    www.eastsuffolk.default.onesuffolk.uk0.bigv.io

    eastsuffolk.default.onesuffolk.uk0.bigv.io

    And if I ignore the mismatch I see the certificate is expired

    1. Anonymous Coward
      Pint

      Bumpkins

      I'm surprised computers have reached Mid Suffolk, not that they are insecure

      1. Yet Another Anonymous coward Silver badge

        Re: Bumpkins

        Wait till they get electricity - then they will become vulnerable.

        If they ever get a phone line

    2. Alister
      Facepalm

      @AC

      All you are seeing there is that the www.midsuffolk.gov.uk site is not meant to be browsed by HTTPS, it's an HTTP site, hosted on a server which happens to have an old self-signed certificate on it.

      if you browse to http://www.midsuffolk.gov.uk then it works fine.

  9. Amos1

    Would you please stop misleading articles like this?

    SSL Labs checks a tiny, tiny part of what it means to secure a web site and the criteria they use is entirely up to them. Even an A+ means nothing as far as whether the site is coded, operated and maintained securely.

    It's similar to a home inspector looking at the outside, seeing a gleaming new paint job and proclaiming the home in perfect condition even though it's about to collapse from termites, water damage, mold and being a former residence of the Turpin's.

    1. Alister

      Re: Would you please stop misleading articles like this?

      Agreed, and quoting Scott Helmes' site results means nothing either, as the majority of websites don't support all the HTTP Headers he suggests are necessary for an "A".

      www.google.co.uk... "D"

      www.ebay.co.uk... "C"

      www.theregister.co.uk... "F"

      It's an arbitrary mark which doesn't reflect real world practice.

  10. Alister

    Birmingham is an "A" now

    SSL Report: www.birmingham.gov.uk (107.162.138.27)

    Assessed on: Wed, 21 Mar 2018 13:49:35 UTC

    Overall Rating

    A

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like