Yawn
In other news, their coffee machine has run out of sugar.
The Metropolitan Police has allowed its SSL certificate to expire, possibly exposing users of its website to criminal snooping – and leaving victims and witnesses of crime vulnerable to exploitation. With shocking disregard for the most basic standards of web security, the Met have allowed their SSL certificate for https:// …
An anonymous tip-off told The Register the certificate expired yesterday, leaving the public without a secure means of visiting the site over both days.
This is nonsense, the traffic is still encrypted, you just don't get confirmation you're connected to who you think you are.
With shocking disregard for the most basic standards of web security,
Um, El Reg doesn't even offer https connectivity, which is more shocking?
why would it need to ? What sensitive information is passing between you and Reg Towers ?
That said, if we arrive at an encryption everywhere state of affairs (with the security services going all over the media explaining their confusion at such a thing happening) then using encryption ceases to become a red flag to the cops.
This post has been deleted by its author
Seriously JimmyPage, you think that there is no reason that The Register doesn't fork out £30 for a Secure Cert.
As your login is sent in plain text any of your company admins could capture your login details (many IDS will automatically alert the sysadmin of unsecured passwords being used). Now all your anonymous posts that have been sent that might have criticised a colleague or boss or your company's working practices are now available to blackmail you with or get you fired. Or even a message could be posted in your name your password changed and then the details of such post find their way to your manager.
Plenty of people have posted on The Register with information regarding a news story and have gone anonymous because they work for them or used to work for them.
For such a basic and simple thing The Register cannot criticise anyone over poor security when it comes to certificates.
"Plenty of people have posted on The Register with information regarding a news story and have gone anonymous because they work for them or used to work for them."
Not only that but The Register has become a focus for those of us who are against the surveillance dragnet. My name's already on the list, obviously (although I strongly support the *targetted* work done by our intelligence services), but as the net closes in, forums like this will need stronger protection.
"...Plenty of people have posted on The Register with information regarding a news story and have gone anonymous because they work for them or used to work for them...."
Well I hope they weren't logged in at the time they went "Anonymous" because if they did those alleged "Anonymous" posts show up in your "My Posts" timeline. That's about as anonymous as a see-through burka
This post has been deleted by its author
It's not nonsense. Not getting reliable confirmation who you are connecting to means exactly that although the traffic is encrypted, the receiver of the message can read it, and you don't know who that is!.
You don't have a secure means to connect to the site if there is nothing that guarantees you are connecting to the site and nobody else. And what happened is exactly what criminal hackers you can't provide a legitimate certificate would do: They provide one that isn't quite right and hope that you continue.
It would be great if all the browser manufacturers entered an agreement to just not accept such certificates. Put up a display with the most severe warning, and with no way to continue.
An expired cert means exactly that - an expired cert. While it's certainly a mistake to have allowed it to happen, it doesn't make a site any less or more secure than it was before. The cert is the same, it's just expired and that throws up a warning in a browser that says something to that effect.
The danger is not that some hackers will replace the real site without anyone noticing but that the extra warning that people have to confirm and click through might deter someone from reporting a crime.
So in that sense it's bad. Because the cops forgot to pay their "security tax" on time, real crime might go unreported. It also demonstrates why CA signing and short cert expiration is such a bad idea to begin with. Buying a new cert doesn't make the site more secure - it just makes the scary popup go away.
The fact that the certificate has expired today does not make it any less secure than it was yesterday.
The expiry date is simply an arbitrary vaule applied by the CA calculated on the basis of how much money you are willing to pony up. It has nothing to do with security per se.
There may well be perfectly good reasons to regularly update your certificates, but the calendar rolling over isn't one of them.
Yup, the only reason you even notice is that certain browsers kick up a stink about. As for risk of compromise increases over time, I'd have thought that the efforts of miscreants would be more likely focussed on shiny, new certs where there's more milage in the exploit.
Not too long ago this particular error would be ignored for the irrelevance it is. While the fuss made now is in theory correct, in practice it comes up so often it merely encourages reflex clicking through SSL errors. A Very Bad Thing Indeed.
"You are incorrect. Invalid SSL certificates (irrespective of the reason that they are invalid, such as expiration) can and do facilitate seamless MITM attacks, and leaving them expired is suicidally stupid."
Don't be silly. The cert is still signed, it's just expired. The risk is the astronomically small chance that someone might have used the extra few days to crack the key in some manner to impersonate it and the much larger risk that someone reporting a crime might be detered by a scary dialog box in the browser..
Certificate expiration and CA signing is simply a protection racket. If the Met had created their own cert with an expiration 30 years from now and had it signed by government departments, Scotland Yard, and various other courts, police forces etc. it would have been a far more trustworthy token of the site's authenticity. But they can't do that because CA based SSL certs are broken by design for the enrichment of the companies that issue them.
And here we see a real world potential consequence of that racket.
"The cert is still signed, it's just expired. The risk is the astronomically small chance that someone might have used the extra few days to crack the key"
You have missed the point.
One possible scenario:
1) A site with a sizeable number of users leaves its certificate expired for a significant period of time.
2) A sizeable percentage of those users will not proceed beyond the browser warning, but many more will add the site to their browser exception list, and proceed on to the site.
3) After hours/days/weeks/whatever, a MITM attack is carried out, redirecting the site to an attack site with an invalid certificate and the same domain. As long as the site name is the same, the browser exception will allow the invalid certificate, and the user will not be warned of the deception. Pain, compromise, and malware will then follow.
There's no cracking of SSL certificates involved, because there does not need to be. Moaning (rightly or wrongly) about how much certificates cost and how it's all a racket is completely irrelevant with regard to the risk of allowing expiry; if you use a certificate to protect customer data or process financial transactions and you willfully allow that certificate to expire you should expect that major legal and financial trouble may be on its way.
Back in my student days, the secretary of the junior common room got bored and ceased answering comments and complaints in the Whinge Book. I found I was able to imitate his signature, and put in some outrageous replies. Someone must have then spoken to him, because real replies started to appear, for the first time in yonks
So someone who imitates you can trash your reputation.
whenever SNAFUs like this happen, there's always a cabal of people (usually with vested interests) that condescend with "it's not like the end of the world".
True, it isn't. However, it does reveal the lack of process and oversight behind the operation. If it's just El Reg, hardly a worry. More worrying if it's a bank. And very worrying if its men with guns with a proven track record of murdering innocent civilians.
Their SSL cert may be borked, I bet their pensions aren't.
So i have some crime busting information or just want to look up who to contact?
As a geek I'll examine the certificate come to the same conclusion as El Reg and accept the warning and continue as normal. No problem. Meanwhile my well trained partner and 99% of humanity would see the danger warning and obey - retreating and not use the website for its purpose. That's the issue the Met has stuffed one of its lines of information - a less serious issue then losing the switchboard. It should be a lot simpler to fix. They could get a Class 1 certificate up in minutes to clear the site warnings while the culprit gets the extended validation jobby sorted before falling down the stairs - oops!
Simply because it mirrors the screaming and wailing that all the security services out there are producing about us reasonably intelligent technology users having access to reasonably decent encryption to protect our data.
You may be OK with the screeching, but it's kinda irritating reading the whole spiel letting me how certs work and why that may be a problem. That's places most of the content (including the tone) at Daily Mail level. If that is what it takes to write the body of the article it means there is really no news at all.
From a risk perspective, an MITM attack is still possible with a valid cert (of 100 users I reckon 98 will just click through the browser warning, and the 2 that do check will OK it if the domain name looks vaguely OK) so I really can't buy into the "sky is falling" message either for the two days that this exposure exists. Except for a slightly less visible MITM attack the traffic is still encrypted in transport.
I use an app called News360 for reading El Reg (and a few other blogs) and, when I attempted to post a comment on an article this morning, instead of the usual "your comment will be updated shortly…" banner, I was taken to a page with "Sorry, you're blocked!", in big, bold type, followed by some blurb about something called CloudFlare, a code, and my IP. Being autistic, and not understanding what the feck any of this meant, I began to rack my brain (or whatever passes for it these days) trying to figure out what on Earth I could POSSIBLY have said to get myself banned (this is literally the only forum, of those to which I've posted, from which I've yet to be excluded).
I then accessed the site via Safari, and did a test post (think it was on the Barry Obama article if memory serves, remove it) and that posted fine. I'm back reading via News360 again (hence the header). I've a screenshot of the offending page, if it'd be useful to anyone.
If I am barred from posting, it'd be good to know why, and why I've never received any communication from The Vultures' Nest (do vultures build nests…? I assume they do) as to why and, besides, you're usually allowed a couple of transgressions before the door's slammed on yer arse! Have I REALLY upset folk round here that much that I don't even merit a single warning…?! If I have, well I have, I can't help being how I am, I'd explain why, but it's too fantastic to be believable.
I'm feeling extremely low at the minute and, when I get like this, what little understanding I have of the world deserts me and, frankly, it's fucking terrifying; my grip on reality is tenuous enough when my head's functioning (well for any value of functioning, any road) but, right now…? Right now, I'm shit fucking scared of my own shadow.
If I've upset anyone, I'm GENUINELY SORRY, I won't have meant to, I NEVER mean to (unless you're a homophobic EDL-type then, yes, I most certainly DO, but I've yet to come across anyone matching that description here).
Guess, if I HAVE been banned, this won't post…
This post has been deleted by its author
Guess, if I HAVE been banned, this won't post…
Relax, it works. Rule 1 of any problem: mistrust the technology, not yourself. As I have seen here over the fairly long time I have been reading El Reg you must be pushing it pretty far and hard before you get slapped with a mega ban - and you will get plenty warning before.
I suspect the problem lies with CloudFlare, not with El Reg.
More than likely this News360 app you're using (I haven't looked into it) is routing requests through their servers with a limited IP range. So if 50 users read El'Reg using News360, all 50 of those requests could be coming from a small IP range, CloudFlare may treat that IP range as malicious (i.e. identifies it as a DDoS) and blocks the requests.
That is my highly speculative theory anyway.
"As your login is sent in plain text any of your company admins could capture your login details (many IDS will automatically alert the sysadmin of unsecured passwords being used). Now all your anonymous posts that have been sent that might have criticised a colleague or boss or your company's working practices are now available to blackmail you with or get you fired."
Wouldn't it be a courtesy not to use your company resources to badmouth them on a public forum?
Wouldn't it be a courtesy not to use your company resources to badmouth them on a public forum?
Given that someone probably already has a damaged relationship with their company when they do this I reckon that actually becomes the fun part. Not for long, though, especially not if they identify the individual in question.
Don't worry, they'll probably break down your door at 5 a.m. and arrest you for "hacking".
Some years ago this comment wouldn't have come to mind or, if it did, I would have used the joke icon; but now this one will have to do until we get a Kafka one.
Like many public services I guess this is outsourced to a private contractor.
Who therefore has contractual responsibility for maintaining valid SSL certificates and why has this fail occured?
The logical extension of this is why are taxpayers funds being pocketed by a provider who cannot provide the basics.
Meh.