back to article MI5 stinks up website with dead SSL certificate

Blighty's intelligence agency MI5 forgot to replace the expired digital certificate for its website over the weekend. The schoolboy error meant anybody trying to securely access the Security Service's site - perhaps to report suspected terrorist activity - would have been warned by their browser that the connection was …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    FAIL

    Least they get value for money given what they pay. :(

  2. John G Imrie Silver badge
    IT Angle

    The problem must be

    No one in IT working over the weekend.

    IT icon for where's the IT staff.

    1. My Alter Ego
      Pint

      Re: The problem must be

      Bad excuse, our most recent certificate was created on the 19th December 2011, and expires on the 12 January 2015, replacing the previous cert that expired on the 12 January 2012.

      You should always be able to start using the new cert before the old one expires, meaning your IT staff can can enjoy an alcohol fuel weekend.

    2. ElNumbre

      Re: The problem must be

      I assume the digital certificate procurement consultant didn't hand the issued certificate to the secure certificate logistics consultant who could then pass it to certified digital certificate installation consultant.

      You know the old saying - "Hire Capita*, get consultants".

      * or any of the other outsourcing IT companies.

  3. My Alter Ego
    Coat

    Perhaps it was deliberate

    Training people to get used to clicking continue whenever they see an invalid certificate warning means they can MITM SSL connections a lot easier.

    Mine's the one with the tin foil hood.

  4. LinkOfHyrule
    Coat

    "Since the MI5 website redirects to an SSL/TLS HTTPS-only version, they have effectively created a Denial of Service attack on themselves,"

    They better bloody arrest themselves then and do some self waterboarding (instructions are available on certain adult websites) and then ask the US if they can be extradited and sent to gitmo.

    Theirs is the orange boilersuit.

  5. Anonymous Coward
    Anonymous Coward

    I reckon it's a trick.

    Anyone who clicks through is automatically deemed too stupid to have a job.

  6. mike2R
    Boffin

    "The digital paperwork expired on Sunday, 16 April, and a new one was installed on Monday morning. "

    Just to point out that today is Monday, 16th April. Sunday was the 15th.

    1. AlexS
      Facepalm

      Ahh that's it

      MI5 are using the same Calendar software as The Register. Clearly it doesn't handle leap years.

    2. mike2R
      Go

      I see the article has been updated.

      But what does this mean? Is there a weakness in the Gregorian calender?

      WE SHOULD BE TOLD!?!

  7. koolholio
    WTF?

    Use of terminology

    Denial of service is classed as a DDoS, Comms blocking or disconnection.

    An alert is not a denial of service, it is purely a programmatical/human/weekend working error!

    An expired SSL certificate (used mainly in HTTPS connections) are rarely a 'secure' method using consumer based cryptography, as multiple protocol level exploits and stolen certificates have proved!

    1. Trollololololol'd?

      Re: Use of terminology

      DoS stands for Denial of Service. If you can't use the service, then it is a Denial of Service condition, regardless of the cause.

      DDoS stands for Distributed Denial of Service and it means that the DoS was caused by multiple sources. A DDoS is a type of DoS.

      You give off the perception that you are throwing around terms that you don't understand to try to sound smart.

      If someone was willing to click through regardless of the SSL error then they could still get the service and it wasn't a DoS condition, but if some people were not clicking through then they weren't getting service and it is fair to say there was a DoS condition.

  8. Anonymous Coward
    Anonymous Coward

    "'This connection is untrusted' web browser warnings do not give the impression of professional competence and respect for internet confidentiality, which potential users of their SSL/TLS encrypted 'Reporting suspected threats' web form should expect, and upon which their lives and the lives of potential British targets may depend on."

    The last "on" is redundant as, I suspect, is their reputation.

    1. Chris Sake
      Joke

      Yes, it is a hanging preposition.

  9. Anonymous Coward
    Anonymous Coward

    What, nobody making the obvious comment?

    Nobody taking the obvious comment? then I shall:

    Do you trust ANY government's web sites? Valid cert or no....

  10. Daniel B.
    FAIL

    Someone made a doo-doo

    If the cert is valid since 25 March, 2012 ... someone didn't do their job. You should be replacing the cert as soon as you get the new one (and it's valid) instead of waiting 'till the very last moment.

  11. ShelLuser
    FAIL

    Utter fail

    Like, its not as if you can't know up front how long your certificate will be valid....

  12. Christian Berger Silver badge

    Luckily

    Since terrorism is more of a figment of the sick imagination of some rulers than an actual problem (meaning there are _far_ worse actual problems), it's not a problem if the site is down for a bit.

  13. David Gale

    Why?

    Why are they buying third party certificates?

    1. dajames Silver badge
      Big Brother

      Re: Why?

      "Why are they buying third party certificates?"

      They have their own CA, I'm sure ... but if you knew their root cert they might have to shoot you!

  14. This post has been deleted by its author

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019