back to article DVLA denies driving licence processing site is a security 'car crash'

A UK government agency has disputed complaints from security pros that its website involved in the processing of driving licence applications is insecure and otherwise unfit for purpose. Reader Andy, who asked to remain anonymous, alerted us to what he described as a "disgraceful web server configuration" at https://motoring. …

  1. This post has been deleted by its author

  2. Alister

    PCI-DSS is the credit card industry's security standard. Anyone who handles credit card payments is obliged to comply with its requirement.

    Does the DVLA site actually handle credit card payments? My recollection is it hands you off to SagePay or somebody for that process?

    1. wolfetone Silver badge

      It sends you off to WorldPay, but you still need to be compliant with the PCI-DSS thing.

    2. Anonymous Coward
      Anonymous Coward

      PCI-DSS Compliance

      PCI-DSS has different levels of compliance requirements that an institution may be required to comply with, even if they don't handle payment details but hand them off to a third party, e.g. WorldPay or Stripe.

      If they do handle the details themselves (card number, cv code and expiry date) then that's a whole world more painful so let's not go there.

      Anon because of reasons.

      1. Jonathan 27

        Re: PCI-DSS Compliance

        It's if you store any CC data. In the theoretical event that I wrote a site that used exclusively a 3rd party to process payments I would never record any of the information locally to get around having to have PCI compliance. You can also hand off the details to a second, more secure storage system that you also write and maintain, then only that needs to be PCI compliant.

        This is of course definitely a theoretical situation.

        1. Anonymous Coward
          Anonymous Coward

          Re: PCI-DSS Compliance

          Nearly correct, it's if you handle an un masked PAN, CVV2 etc. not just storage in the triditional sense.

          Equally you can't store the CVV2 number or for that matter a copy of the tracks from the card's magnetic strip.

          Equally unless you use clear network segregation other systems could well be within scope of PCI...so if they take payments by phone the web site could easily still be a PCI compliance issue.

          This is not by any stretch of the imagination the DVLA's worst security issue in recent times involving piss poor web site security.

          Perhaps El Reg may want to submit an FOI request...the response would evidence the quality of the DVLA's incident tracking process if nothing else.

          1. Tatsky

            Re: PCI-DSS Compliance

            In my experience of PCI-DSS ( a few years rusty ) If handing off to a 3rd party you would still have to complete the Self Assessment D and ensure that your provider is PCI compliant.

            You would also have to answer any queries about MOTO payments (Mail order, Telephone Order) as your "personnel" would potentially be taking details over the phone and plugging them into a MOTO interface of some variety.

            If you systems store, transmit or touch card details in any way then you need to comply with higher levels of PCI. It's not enough to just "not store" the details, even having the card details pass through your server in some way before being routed on to a payment provider is enough to warrant higher level PCI compliance with at least quarterly vulnerability scans.

            There are some Gov websites which hand off to 3rd parties, and others handle the card payment within their application. The problem I think with PCI compliance is that anyone can stick a PCI compliance logo on their website, and it only becomes an issue if/when there is a leak of information tracked back to that store/site/application.

    3. indigomm

      Someone intercepting a card payment is bad. Someone being able to access my DVLA account and issue a new driving licence in my name to another address is terrible. Driving licences are effectively ID cards in the UK. I'm in the process of buying a house and the driving licence is the single piece of ID that ties it all together and is visually confirmed. Everything else I could easily forge.

  3. Rob Telford

    Hmm

    Blimey! Maybe they have taken notice? Or is that being too generous?

    As of a few seconds ago, this is what I get when attempting to connect

    https://motoring.direct.gov.uk

    "Service not available

    Sorry...

    The Driving Licence Online service is temporarily unavailable due to system maintenance. If you were in the middle of a transaction, any information you entered was not saved and you will not be charged. Please try again later. DVLA apologise for any inconvenience this may cause."

    1. Aladdin Sane

      Re: Hmm

      Probably the vulnerabilities being exploited.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hmm

      Oops! This is an invalid link

      Sorry...

      You've selected an invalid URL. Go back to the motoring home page to select the correct service.

      Please use the link below to return to GOV.UK

      Return to the motoring home page

    3. macjules

      Re: Hmm

      Now you simply get a "Oops! This is an invalid link", but it looks like Capita the developer is still learning to code html.

  4. Anonymous Coward
    Anonymous Coward

    Suspect they finally noticed...

    Service not available

    Sorry...

    The Driving Licence Online service is temporarily unavailable due to system maintenance. If you were in the middle of a transaction, any information you entered was not saved and you will not be charged. Please try again later. DVLA apologise for any inconvenience this may cause.

    Please use the link below to return to GOV.UK

    Return to the motoring home page

  5. Korev Silver badge
    Joke

    Would this lead to...

    ...Drive by attacks to the browser?

    1. Anonymous Coward
      Anonymous Coward

      Re: Would this lead to...

      ROFL open goal ha ha

  6. fluffybunnyuk

    cool expires 10th Jan 2020. see you back here when theres a renewal failure :)

    1. Anonymous Coward
      Anonymous Coward

      Could be sooner if it was issued by Symantec....

  7. adam payne

    The security certificates of all of our websites meet industry standards and we use recognised industry best practice methods to ensure that all our URLs are secure. The security of our customers' data is always paramount and we constantly review our websites to ensure they are fit for purpose.

    Instead of just dismissing everything why don't you work with the security professionals to look into the potential issues and fix them.

    1. Sgt_Oddball
      Windows

      That requires that they listen and take criticism that they've got it wrong...instead of say... claiming everything is fine and works with secure certificates because certificates just work don't they?

      There are times were ignorance needs pointing out and arrogance shone a light on it's short comings. Especially with something with as much value as a UK driving licence (id card, permission to drive in busy about every country in the world, nothing much. Just generally an identity thiefs wet dream,)

      I'd be more than happy to be wrong, it's just your comment is the management equivalent of 'thoughts and prayers '. They can just ignore it until the other party loses interest and tree problem goes away.

      And I'm sorry if that sounds hyper critical of your comment but I've seen how these things can go.

      That said after been shown up like this, I'd guess that the DVLA won't be so lapse again anytime soon once they've brought the site back after fixing the issues raised here. So.... in a way they have worked with them to get it fixed. (Nice touch having the article in a Friday though. Well played El reg)

    2. Doctor Syntax Silver badge

      "The security certificates of all of our websites meet industry standards and we use recognised industry best practice methods to ensure that all our URLs are secure. The security of our customers' data is always paramount and we constantly review our websites to ensure they are fit for purpose."

      Translation: "I work in PR. Understanding what you said isn't in my job description. Here's some boiler-plate."

  8. paulf
    Facepalm

    Funny Story about their ruddy Driving Licence website

    When I moved house a few years ago I had to do all the address change stuff which included my driving licence. Normally I would have put my new address on the back of the paper license* and send it to them in the post; job done. This time I thought I'd be clever** and use the DVLA website so it would all be sorted online to minimise the paperwork. I had to go through all sorts of steps including entering all my personal details, (IIRC) my NI number*** and my passport details. But it all went through, they accepted my new address and promised to issue updated documents.

    Then on the last screen it said: You're obliged by law to return both parts of your old licence in the post so we can cancel it. So it was a complete waste of time for me (but not for them as it handily linked my passport to my driving licence and NI number). Sigh - icon ->

    * It was back when the licence consisted of both a photo card and paper part

    ** Yes, I know!

    *** Social security number for Left Pondian types. The DVLA isn't quite as bad as the DMV is reported to be, but I think the promised trade deal with your current small handed incumbent may include completing the job of dragging the DVLA down to DMV levels.

    1. Anonymous Coward
      Anonymous Coward

      Re: Funny Story about their ruddy Driving Licence website

      Depends what sates you are in PaulF . In California almost all forms are on line and you can renew online. To change address you mail in a form. Alabama you must doing every thing in person. Oh and customer service changes from DMV office to office. When I went into get my DL in Alabama they guy took 45 minutes(appointment so no waiting in line for me)and constantly had to ask for help. Took my photo and was like finally I'm done. Nop he did not complete it on his end so I had to come back take another photo and then I got my DL in 4 weeks. Funny thing is I had a valid paper DL.

  9. Colin 29

    Certificate chain

    If there's a problem with the certificate chain how come only Firefox is complaining about it and not all browsers?

    1. Alex Brett

      Re: Certificate chain

      Most likely because Firefox maintains its own set of trusted certificates, whereas IE and Chrome (for example) use the operating systems. It's quite likely the operating system has (or has at least cached) the intermediate certificates needed to complete the chain...

    2. DougMac

      Re: Certificate chain

      "If there's a problem with the certificate chain how come only Firefox is complaining about it and not all browsers?"

      Because every browser is different. Even different Chromium based browsers are different than Chrome itself.

      Firefox is a very different beast than Chrome or from Safari. Firefox complains more about things like broken certificate chains vs. Chrome. Chrome complains different things like requiring SAN entries instead of depending on cn= in the X.509 cert.

      Thus if you run a web app, best to check it in all the major browsers..

      1. really_adf

        Re: Certificate chain

        "Thus if you run a web app, best to check it in all the major browsers.."

        True but primarily for application issues.

        For HTTPS configuration, running a test for that specifically (eg Qualys server SSL test) and actually understanding its results is best.

        In both cases, if you follow standards, there is a good chance you won't have any problem.

        Clearly, the DVLA (or subcontracted entity) didn't do this, which is a big fail.

      2. Doctor Syntax Silver badge

        Re: Certificate chain

        Thus if you run a web app, best to check it in all the major browsers.

        Once upon a time there was just HTML. The marketing wonks wanted control over layout and it all went downhill from there. Just make your site work without stupidities such as loading stacks of executable stuff from sites over which you've no control and guessing at what browsers the punter might actually have available. KISS

      3. ~chrisw

        Re: Certificate chain

        And stupid esoteric stuff like the need for IP SANs to also be included as DNSname SANs so Chrome understands them. Certificates are getting quite complicated. No wonder ukgov's IT bods can't even check they have it working in all browsers and old insecure server settings disabled, they probably don't even know what a chain cert is.

  10. Anonymous Coward
    Anonymous Coward

    Contractors innit

    I believe Serco are responsible for the DVLA website. The DVLA binned their in-house programmers some years ago. Whether or not the work is being undertaken in the UK is open to question.

    Nonnymouse 'cos I worked there.

  11. Anonymous Coward
    Anonymous Coward

    Actually just noticed it can use TLS 1.0 with TLS_RSA_WITH_3DES_EDE_CBC_SHA ... cool!!!

    Triple DES someone should have taken it round the back of the shed long ago and shot it...

  12. Anonymous Coward
    Anonymous Coward

    How about it the DVLA being a usability car crash generally?

    I just had to renew my photocard license. If you don't have a passport, then you have to do it offline through a properly equipped post office, which you can find by <URL that 404's> or <telephone number that's disconnected>. Rolling my eyes and just turning up at my local post office I discovered that they couldn't do it as their post office franshisee didn't want to pay many thousand quid for a machine with a non existant return on investment.

    After visiting five seperate post offices in two seperate towns and encountering the same problem, the girl behind the counter at the last one suggested them doing a passport photo and then sending it off via the old paper form, which they did have.

    It then transpires that the DVLA requires payment via cheque, which my bank is doing it's best to phase out so hasn't provided me with a cheque book. My bank also won't print single cheques and won't provide a bankers draft but can provide me with a cheque book in a "few weeks" at additional cost. (note that time taken to print and deliver cheque book is longer than the deadline from the DVLA for submitting the application) You can't post cash to the DVLA as their staff aren't trustworthy enough, and they won't do credit cards for a paper application.

    Happily, my employer does have a cheque book for the business and was happy to write me one, so I got around it that way, but... FFS DVLA?! Could you make a simple job any more difficult?

    1. Anonymous Coward
      Anonymous Coward

      Can your read?

      Renewal by post is explained on the notice you were sent and on the DVLA website. Renewal notices are sent out a month before the licence expires, so there's no excuse for being a dick.

    2. Doctor Syntax Silver badge

      "Could you make a simple job any more difficult?"

      Remember that well known training programme on all things relating to HMG administration, Yes Minister. Being sent to the DVLA was one of the ultimate threats for a Civil Servant (the other was RAF Lossimouth). They're all trying to exhibit their red tape credentials in hope of being posted back to London.

  13. steviebuk Silver badge

    The site...

    ...appears to now be dead.

    1. Anonymous Coward
      Anonymous Coward

      Re: The site...

      "...appears to now be dead." If only the same could be said of many government agencies. I bet the DVLA have one of those Chief Digital Officers in charge too because the old CIO said it was a dumb idea and they couldn't do it because of rules n stuff.

    2. Sgt_Oddball
      Trollface

      Re: The site...

      If you can't access it, then niether can the hackers. Very secure now surely?

  14. Anonymous Coward
    Anonymous Coward

    Chain

    They fixed the chain issue about half hour ago..

    Looks as though somebody took some notice..

    1. Aladdin Sane

      Re: Chain

      Now I have the Formula 1 theme tune in my head.

  15. Anonymous Coward
    Anonymous Coward

    DVLA - resons to strafe Swansea

    A while ago I worked for a local authority and had to set up an interface to get enhanced ownership information on cars that had got a parking ticket. The old ISDN based system was being phased out for a "new" system based round the Government Secure network that had been set up in the wake of some data breach.

    The whole process was simply agonising at every stage and I was actively looking for a suitable plane to do the strafing. I gather that their offices are a good way outside Swansea itself so loss of innocent life would have been minimal

    AC for obvious reasons, not least that I have a driving license.

    1. BebopWeBop

      Re: DVLA - resons to strafe Swansea

      Not only outside central Swansea, but a very prominent (and gawd awful building as well)

    2. Anonymous Coward
      Anonymous Coward

      Re: DVLA - resons to strafe Swansea

      According to the Daily Red Tops, none of the nasty parking companies who are fleecing lazy parkers don't have a problem getting that info.

      1. Aladdin Sane

        Re: DVLA - resons to strafe Swansea

        Reasons to strafe Swansea - the lesser known hit by Ian Dury and the Blockheads.

  16. FlamingDeath Silver badge

    Why are there so many chumps and why do they all work in government departments?

    I wonder if it's a prerequisite in the interview process

    1. Julian 16

      As someone said further up the thread, the DVLA site is contracted out so it's a private chump rather than a public one that has screwed up.

  17. Boris the Cockroach Silver badge
    FAIL

    I wondered

    why I could'nt renew my vehicle tax on my secured linux laptop using firefox.

    kept coming up with certificate chain not secure and blocking the site

    Its a web server ffs......... cant DVLA read "websites for dummies"....

  18. Borg.King
    FAIL

    theregister.co.uk gets an F at securityheaders.io

    stones, glass houses et al.

    1. Sgt_Oddball
      Holmes

      Re: theregister.co.uk gets an F at securityheaders.io

      Whilst actually true, it really missed the point. Namely that the register isn't taking credit card payments through their website and the only details they have on me are minimal details that can garnered anyway from other websites given a little time (I'm thinking professional communities here). Woohoo nothing that's particularly worth securing.

      Or do you know something the rest of us don't?

      1. AndrueC Silver badge
        Meh

        Re: theregister.co.uk gets an F at securityheaders.io

        Whilst actually true, it really missed the point. Namely that the register isn't taking credit card payments through their website and the only details they have on me are minimal details that can garnered anyway from other websites given a little time (I'm thinking professional communities here).

        I take your point but out of curiosity I pointed the test at my personal web server's front end. I got capped at a B rating because 'This server accepts RC4 cipher, but only with older protocols.'.

        So that's a web server running in my spare bedroom using a low-cost Windows solution (VPOP3 for anyone interested). All I did was buy a certificate and install it.

        Yes, The Register doesn't know much about me (only a disposable email address) but still. It's a technical site that loves to pick apart technology and gloat over its failings.

  19. unwarranted triumphalism

    Another vicious unprovoked attack on the motorist

    British Cycling is located on Stuart Street, Manchester M11 4DQ. Just sayin'

  20. Will Godfrey Silver badge
    FAIL

    Just a reminder

    These were the people who in the 1970s managed to lose a huge number of driving license records. Their answer when you wanted a renewal was that you should get a reference from a 'professional person' stating that you previously had one.

    Clearly they are maintaining standards.

  21. Anonymous Coward
    Anonymous Coward

    I particularly enjoy the (lack of) joined up thinking at the Government;

    https://www.gov.uk/service-manual/technology/using-https

    Quite incredible that they recommend the use of HSTS and then spectacularly fail to implement it on DVLA license renewal - one of their most high profile public service sites..

    But they use industry best practices for securing URLs.. so we are told! :D

    1. ~chrisw

      As usual, it's rare that project managers action any of the sensible things recommended by consulting engineers, because that would skew the delivery timetable and budget forecast right off. Can't be having that. Bloody engineers always sticking their noses in, going on about 'industry best practices'.

  22. Wolfclaw

    They'd soon fix it all, if it stopped them getting their nice cushy kick backs from scumbag parking enforcement companies for our details !

  23. MrChris
    Facepalm

    Time travelling security research?

    So reporting on an error that happened a month a go.

    The site seems to be working now.

    Come on reg, try to keep it current

  24. Cfergie
    Alert

    SO MY FATHER WAS ABLE TO DO THIS ONLINE WITHOUT A CHECK

    Very Dissatisfied with DVLA licenseing

    I emailed DVLA regarding the renewal of my fathers driving licence as it expired on the 18th Feb this year & my father will be 70 on the 22nd March so therefore skips the resit .. I however emailed DVLA to inform them due to my father having medical conditions a brain aneurysm a heart condition & mental health issues due to him being in a drug induced comma for 5 days ... I informed them my father was a danger on the road to himself & others .. On thinking I was doing the right thing since this my father has been issued with his new driving licence & is still a hazard to himself & others I am absolutely furious he just passed a medical he said which I doubt but no resit? Beyond me if he kills himself or someone on the road on there own head be TOTALLY UNPROFESSIONAL & SHOCKING DVLA CAN NO LONGER BE TRUSTED TO THE RIGHT THING .....

    1. Anonymous Coward
      Anonymous Coward

      Re: SO MY FATHER WAS ABLE TO DO THIS ONLINE WITHOUT A CHECK

      I'm not sure what the bigger issue here is...your Dad or your reaction.

      Can I suggest if this is the issue you portray it to be, you hand the details over to the Police who deal with dangerous driving.

    2. Anonymous Coward
      Anonymous Coward

      Re: SO MY FATHER WAS ABLE TO DO THIS ONLINE WITHOUT A CHECK

      What proof of your identity can you provide in an email? If your licence was suspended because I sent the DVLA an email claiming you had medical problems, would that be okay?

      You need to speak to your father's doctor to get him to have the licence suspended.

    3. unwarranted triumphalism

      Re: SO MY FATHER WAS ABLE TO DO THIS ONLINE WITHOUT A CHECK

      THIS IS AN OUTRAGE I AM GOIMG TO SCREAM AND SCREAM AND SCREAM UNTIL I AM SICK

    4. Wayland

      Re: SO MY FATHER WAS ABLE TO DO THIS ONLINE WITHOUT A CHECK

      Obviously your father feels his driving is up to standard. If my son was like you I'd ignore him.

  25. JeffyPoooh
    Pint

    Paltering

    "The [DVLA's] boilerplate response whilst in one area factually correct, seems to miss the point."

    pal·ter - mid 16th century (in the sense ‘mumble or babble’): of unknown origin; no corresponding verb is known in any other language.

    The word "Paltering" is being resurrected to describe such examples. Now we just need to have paltering made into a criminal offence.

  26. rnorman345

    This is not the first time that a gov.uk site has been found lacking. If their statement that ' .. conforms to industry standards' is defensible then those standards need an immediate review. I do not need to remind the group that there is a young man awaiting his fate for playing on the US govt sites - and that was just for fun!

    It would not be so bad had the agency not had FREE access to some of the best security advice in the world and could simply have had the site tested for them by a third party.

  27. rnorman345

    What?

    This is not the first time that a site linked to gov.uk has been found lacking. If their statement that ' .. conforms to industry standards' is defensible then those standards need an immediate review. I do not need to remind the group that there is a young man awaiting his fate for playing on the US Govt sites - and that was just for fun! It would not be so bad had the agency not had FREE access to some of the best security advice in the world and could simply have had the site tested for them by a third party.

  28. fammorris

    DVLA is indeed a car-crash. For some weeks I've been trying to apply for my new licence for my upcoming 70th birthday.

    Using Microsoft Edge, I'm can't to get beyond the first couple of pages before it fails. Using Google Chrome it is a bit of a nightmare because it can drop out anywhere, including the last couple of pages.

    So far I am yet to complete the form.

    I know from other website that when security certificates are not up to date. This sort of issue should not be a problem for a Government Agency, ultimately paid for by the tax payer.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon