nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
HTTPS crypto-shame: TV Licensing website pulled offline

JimmyPage Silver badge
Facepalm

redirecting HTTP to HTTPS

Isn't this the sort of thing a first year Comp Sci graduate used to be able to do ?

Alister Silver badge

Re: redirecting HTTP to HTTPS

In my experience, the current crop of Comp Sci graduates wouldn't have a fucking clue how to do this, nor why they should...

Teiwaz Silver badge

Re: redirecting HTTP to HTTPS

Comp Sci awards the degree in the first year now?

I have heard mutterings about Degrees getting easier (and reduced the length of course while probably increasing the fees), but this seems like drastic short-cutting to me.

katrinab Silver badge

Re: redirecting HTTP to HTTPS

If you are using IIS, it is a box you tick in the control panel. On Apache, it is a very simple addition to the configuration file.

FlamingDeath Bronze badge

Re: redirecting HTTP to HTTPS

Well, from my observation many of the university types do certainly think that once they completed their degree, that the learning is done and finished, and they can then start looking down their noses at us other self-educated types who didn't pay £9k PA for a "rarely present tutor" and are interested enough in the subject to be motivated to self-learn

I guess the overpriced degrees in university, breeds a kind of hubristic elitism

A bit like when people buy an overpriced product, and they wrongly equate high price with high quality

“The good work for all education is interest. Until there is interest there is no response"

NonSSL-Login

Re: redirecting HTTP to HTTPS

Searched for the Beefeater site yesterday and google gave a http link which didn't redirect to https once on it which I thought was odd for this day and age.

To view a menu it wanted my postscode and while it's not the end of the earth for that to be sniffed, it felt too dirty to post it over http so I had to manually change it to https.

My name was a good few years of nagging at el register to https up and it took google to start giving horrible chrome messages and lower search engine ranks to http site before it was changed. Anyone company not using https now should be considered lazy and not fully competent imo.

ZenCoder
Pint

Re: redirecting HTTP to HTTPS

Well, from my observation many of the university types do certainly think that once they completed their degree, that the learning is done and finished, and they can then start looking down their noses at us other self-educated types

My Computer Science and Engineering Degree taught zero practical skills ... instead I learned the scientific and theoretical knowledge that would prepare me for a lifetime of self-learning.

Also here is at least one "University Type" that respects anyone who has the skills necessary for the job no matter how they acquired them.

Regrettably I also worked with far too few people with skills and no degree and far too many with degrees with no skills, not to mention the 3rd year transfer students with 3.5+ GPA who literally could not complete a single lab assignment without cheating.

So instead of a downvote ... you get a beer.

Anonymous Coward
Anonymous Coward

Re: My Computer Science and Engineering Degree taught zero practical skills

Mine wasn't as "impractical" as that (although the programming that we did do, did perhaps focus a little too much on near-metal-banging (pointers, malloc, etc) in C, which are things I have never needed to worry about since, as they are dealt with lower down the software stack (although I certainly do acknowledge that we do need at least some people with those skills in order to write, and optimise, those lower parts of the stack).

But, unfortuntately, much of the "theoretical stuff" mainly seemed to be indulgence of the academics' pet areas of research, and rarely anything which gets any real-world use (eg, lambda calculus) or was more than a passing fad (at least a couple of unpleasant courses whose content I have now entirely forgotten).

To be perfectly honest, I think I have learned far more from the web (yes, including various Wikimedia sites, with pinches of salt duly applied), forums, well-written official documentation (yes, it does sometimes exist!), and the O'Reilly menagerie, than I ever did from my first university degree.

The university undergrad experience should really be more about a love of learning in general, learning how to transition into an adult, making new friends and networks, undertaking new experiences, and broadening your worldview.

Unfortunately, coming from a deathly-uninspiring smalltown background, after many years of teachers' strikes (where the teachers' "work to rule" neglected the unwritten part of their mission to help their students grow and blossom as well, unfairly hurting those who had no part in their battle), and then to a university that turned out to be rather more homogenous in its student cohort than the prospectus had implied (so that most of us had all had the same stunted childhoods (but of course were unable to realise that at the time)), meant that it wasn't quite the full experience that it should have been.

Claptrap314 Bronze badge

Re: My Computer Science and Engineering Degree taught zero practical skills

You speak like you expected/intended your education to be something that someone else gave you (at school), or perhaps a one-and-done sort of thing? How sad.

I learned more science by reading the 500 & 600 section and subscribing to Scientific American & National Geographic (back when they were useful) than there was ever hope for me to have learned in the thin slice of time listening to someone try to explain things they themselves barely understood in K-12.

As the previous poster mentioned, the critical skills that are needed are not "practical" (and don't go on a resume').

1) The ability to learn new skills. The world is changing, you must keep up. I have literally had my job description completely rewritten between when I accepted the offer and when I showed up the first day.

2) The ability to recognize your own blind spots. The "unknown unknowns" are what kill us. Overcome Dunning-Kruger or be stuck being the one others clean up after.

3) Diligence. No matter how many layers we put between you and the bare metal, there will be tasks that are fundamentally repetitive and non-scriptable. (Think about writing good tests.) Disciplining yourself to doing it right every time.

Yeah, I was a hardass to my calculus students.

Anonymous Coward
Anonymous Coward

only 9 months?

Someone check the Wayback machine. I'd bet its never been secure (i.e. http always preferred over https).

Anonymous Coward
Anonymous Coward

Re: only 9 months?

"Someone check the Wayback machine" - we've got a fully delegating manager type here folks. Don't see many of your sort round these parts.

Anonymous Coward
Anonymous Coward

Re: Someone check the Wayback machine.

There's an app for that.

If that task is not in the existing contract, it'll cost you extra (and if it was in the contract, it's already cost the taxpayer far too much).

DJV Silver badge

"We take security very seriously"

That's right, keep parrotting that obvious bullshit out! Sigh....

Snivelling Wretch

TV Licensing is run by Capita; 'nuff said.

wallaby Bronze badge

"TV Licensing is run by Capita; 'nuff said."

And we are forced by our government to use them or face a fine !!!!

The joys of privatisation

Chris Hills

Kind of, Capita gets the majority of the work but there are other contractors. I presume the BBC is responsible for the infrastructure?

Angry IT Monkey

Capita provide the secure payments side, I believe IBM host the rest.

Yes, I feel dirty defending Capita!

Teiwaz Silver badge

Capita provide the secure payments side, I believe IBM host the rest.

Yes, I feel dirty defending Capita!

Well, there's the reason then. Nobody left who has a clue at IBM?

Anonymous Coward
Anonymous Coward

There are plenty of people left at IBM who have a clue. They just no longer care.

Anonymous Coward
Anonymous Coward

"Nobody left who has a clue at IBM?"

It's a chargeable item that, definitely not included in the contract that the customer signed....

Doctor Syntax Silver badge

"I presume the BBC is responsible for the infrastructure?"

Why would they be?

FlamingDeath Bronze badge
Facepalm

Fucking Crapita

Who knew

Anonymous Coward
Anonymous Coward

Why wasn't it mentioned in the article that Capita run this? Come on El Reg. It's kind of relevant. I know it's Friday but you haven't even been to the pub yet (I assume).

Alan Brown Silver badge

>> "I presume the BBC is responsible for the infrastructure?"

> Why would they be?

Because TV Licensing _limited_ - the privately owned company which is responsible for actually collecting TV licence fees - is a wholly owned subsidiary of the BBC which then contracts operations out to Crapita and IBM.

It's a nice incestuous little circle jerk when you start digging into it.

An ominous cow heard

Re: when you start digging into it.

"Because TV Licensing _limited_ - the privately owned company which is responsible for actually collecting TV licence fees - is a wholly owned subsidiary of the BBC which then contracts operations out to Crapita and IBM.

That's not quite how it works, according to published information. Maybe your description is equivalent, maybe no one has challenged it for the last few years, but here's an extract from an official description:

https://www.tvlicensing.co.uk/about/who-we-are-AB4

" 'TV Licensing' is a trade mark of the BBC and is used under licence by companies contracted by the BBC to administer the collection of the television licence fee and enforcement of the television licensing system.

The BBC is a public authority in respect of its television licensing functions and retains overall responsibility.

Responsibilities of TV Licensing contracted companies

Capita Business Services Ltd Administration and enforcement of the TV Licence fee.

PayPoint Plc Over-the-counter payment services in the UK mainland and in Northern Ireland.

[continues]"

If there was an actual "TV Licensing Limited" I would expect to see evidence somewhere (ultimately, official records at Companies House. Have you got any?

The big-picture concept of contracting this stuff (collection AND enforcement) out to organisations like Crapita and friends still stinks. As it often does elsewhere. But sometimes details matter, as well as the big picture.

chroot

HTTPS by default?

Now that Chrome makes it alarming to visit any HTTP site, why doesn't it just try HTTPS first? HTTP can be an optional fallback with an informative/alarming notice.

Anonymous Coward
Anonymous Coward

Re: HTTPS by default?

Because some people may want to visit the http version of a site - for testing purposes for instance or the https version of the site may be an entirely different site altogether or a security or certificate problem may mean the https version is down while the http version is up etc etc.

Having a third party decide that it is going to disregard your wishes and the site owner's wishes is not a great solution - they'll be removing parts of the url completely next.

Maybe a popup to say there is a secure version of the site and would you like to visit it?

Maybe use HTTPS Everywhere extension which will use https?

Dave 15 Silver badge

scrap tv licence

Simplest answer

The BBC is just the governments propaganda machine anyway. Fund from general taxation and cut all the costs out straight off. They have a list of all the houses in the UK without a licence and bombard you with letters and visits demanding that YOU prove to them you dont need a licence with very threatening letters. Frankly better off without any of it.

BBC can be funded by either:

a) general taxation

b) pay per view/subscription like sky

c) advertising

d) selling their 'wonderful' programs (mmm... teletubbies, total crud, perhaps by having to sell the programs they might just decide to make programs worth the effort????)

The tv licence model is broken, out of date and ridiculous, like most other government taxation.

Long over due to move to a single tax and single benefit system so we can really understand just how much we are being screwed by the government of the day.

Big John Silver badge

Re: scrap tv licence

> "The tv licence model is broken..."

No it isn't. Governments usually love to force propaganda on their citizens, and making them pay for it too just makes the operation that much sweeter.

FlamingDeath Bronze badge

Re: scrap tv licence

No idea why you have so many downvotes.

The BBC are happy enough to pay Gary Lineker, Chris Evans and Graham Norton, a ridiculous sum of cash for what is questionable talent.

If anybody has seen Idiocracy, it should be fairly obvious why TV is the way it is

Love Island?

Big Brother?

Celebrity get me out of here?

If these programs are not the result of an ever increasingly stupid population, I dont know what it

Anonymous Coward
Anonymous Coward

Re: scrap tv licence

Not giving the BBC a carte blanche defence, but if you're going to criticise them, it doesn't help to back up the attack with...

> Love Island?

ITV

> Big Brother?

Formerly Channel 4, now Channel 5

> Celebrity get me out of here?

ITV

(Just to clarify for readers outside the UK- none of those are BBC stations).

Alan Brown Silver badge

Re: scrap tv licence

"scrap tv licence

Simplest answer"

Yes, but not for the reasons you're pushing.

Radio licensing was scrapped in the late 1960s for the simple reason that with the advent of transistorisation there were too many radio sets to keep track of and the licensing income wasn't worth the hassle. TV licensing was kept because TV sets were large, cumbersome and easy to track.

Times and technology have changed and now TV sets are as ubiquitous as radio sets were at the time their licenses were scrapped.

The assumption since the 1970s has been that "every house has a TV set and every one without a license is a dodger" - with "TV detector vans" mainly being minibusses and the "detectors" being people looking for aerials or the telltale signs of a TV in use (flickering lights and the warbling sounds of coronation street coming from premises which supposedly had no TV)

You'll notice that receiver licensing is no longer a radio regulatory job: that should give a big hint as to its actual necessity.

Aladdin Sane Silver badge
Mushroom

We take security very seriously

Lies.

0laf Silver badge
Thumb Up

Re: We take security very seriously

"We take our security very seriously, we don't give a fuck about yours.... unless the ICO is knocking on the door"

FTFY

Anonymous Coward
Anonymous Coward

Re: We take security very seriously

*We take security very seriously

The cheques in the post

The dog ate my homework.

Of course I love you.

I promise I wont cum in your mouth.

*Added to the list of the greatest lies ever told.

Anonymous Coward
Anonymous Coward

Re: We "will briefly" take security very seriously

Corrected for you...

Alister Silver badge

Re: We take security very seriously

You forgot:

It's not you, it's me.

Fred Dibnah

Re: We take security very seriously

And:

I'm just out for a swift half.

Kane Silver badge

Re: We take security very seriously

And:

It's only the tip.

Nano nano

Re: We "will briefly" take security very seriously

Momentarily ...

Nano nano

Re: We take security very seriously

£350m a week for the NHS ...

Wincerind

Re: We take security very seriously

@Nano nano "£350m a week for the NHS ..."

Oh do give it a rest.

Loyal Commenter Silver badge

we're not aware of anyone's data being compromised.

Well, if you're not using HTTPS, you wouldn't be aware of it, almost by design. Not being aware of the man-in-the-middle doesn't mean he isn't there. All it takes is a poisoned DNS server, redirecting requests to a proxy, and someone can be listening in on all the unsecured connections for any domain that DNS server is serving up the address for.

NonSSL-Login

Or just someone on the same wifi network running wireshark or other tools. Requires catching the initial handshake but easy enough to disconnect a client and force it to reconnect to catch it.

Alan Brown Silver badge

"Well, if you're not using HTTPS, you wouldn't be aware of it, almost by design."

It would be "very good" if the ICO (or the EU privacy oversight watchdogs) declare that it's a prima facie data breach to use http for ANY kind of entry of personal data, regardless of provable data breach - and if there is a subsequent data breach then failure to use https adds a multiplier to the fines.

Anonymous Coward
Anonymous Coward

Airline / Travel HTTP Crimes

Anyone noticed HTTP / HTTPS breaking while trying to Check-In online or when Printing a Boarding Pass? You're taken to the Parent-Airline site first to authenticate (HTTPS). But then they send you to the Subsidiary-Airline site (the airline you're actually flying with), to enter Passport and other personal details before issuing the final boarding pass.

That can even just be a random 3rd-Party site (again over HTTP only).... WTF airlines? Get your sht together! The only solution is hold off / don't use it, wait in line at the airport. Might be better anyway, as the amount of server-side user tracking its already toxic:

-

Emirates / Lufthansa dinged for slipshod online data privacy practices

https://www.theregister.co.uk/2018/03/05/emirates_dinged_for_slipshod_privacy_practices/

Alan Brown Silver badge

Re: Airline / Travel HTTP Crimes

"That can even just be a random 3rd-Party site (again over HTTP only)"

Any of this is grounds for a complaint to the ICO and making sure that El Reg (amongst others) has enough detail to make it impossible for the airlines to brush off or the government numpties to sweep under the carpet.

tallenglish

Yet another Crapita cockup

This is what happens when you don't pay your empoyees half enough or care about them, haven't a clue about what your selling or care about the security of your clients.

Bet the details are stored in some plaintext file on the server too.

intrigid

TV licensing agency

Paying the government for the privilege of owning a magic picture device? The whole HTTP privacy debacle should be an afterthought. You brits should hang your heads in shame for allowing such a ridiculous bureaucracy to exist in the first place.

Anonymous Coward
Anonymous Coward

Re: TV licensing agency

Don't criticise someone else's crappy government until you've cleaned up & decrapified your own. Those whom live in glass houses shouldn't throw stones.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing