back to article Met Police in egg/face blunder as shop-a-crim site's SSL cert expires

The Metropolitan Police has allowed its SSL certificate to expire, possibly exposing users of its website to criminal snooping – and leaving victims and witnesses of crime vulnerable to exploitation. With shocking disregard for the most basic standards of web security, the Met have allowed their SSL certificate for https:// …

  1. Mike Shepherd

    Yawn

    In other news, their coffee machine has run out of sugar.

  2. Alister

    An anonymous tip-off told The Register the certificate expired yesterday, leaving the public without a secure means of visiting the site over both days.

    This is nonsense, the traffic is still encrypted, you just don't get confirmation you're connected to who you think you are.

    With shocking disregard for the most basic standards of web security,

    Um, El Reg doesn't even offer https connectivity, which is more shocking?

    1. JimmyPage Silver badge

      El Reg doesn't even offer https connectivity

      why would it need to ? What sensitive information is passing between you and Reg Towers ?

      That said, if we arrive at an encryption everywhere state of affairs (with the security services going all over the media explaining their confusion at such a thing happening) then using encryption ceases to become a red flag to the cops.

      1. Anonymous Coward
        Anonymous Coward

        Re: El Reg doesn't even offer https connectivity

        why would it need to ? What sensitive information is passing between you and Reg Towers ?

        Your login details?

      2. This post has been deleted by its author

        1. Dan 55 Silver badge

          Re: El Reg doesn't even offer https connectivity

          Email address, Reg profile, if you're a suspect whistleblower for an exclusive story...

      3. Anonymous Coward
        Anonymous Coward

        Re: El Reg doesn't even offer https connectivity

        Seriously JimmyPage, you think that there is no reason that The Register doesn't fork out £30 for a Secure Cert.

        As your login is sent in plain text any of your company admins could capture your login details (many IDS will automatically alert the sysadmin of unsecured passwords being used). Now all your anonymous posts that have been sent that might have criticised a colleague or boss or your company's working practices are now available to blackmail you with or get you fired. Or even a message could be posted in your name your password changed and then the details of such post find their way to your manager.

        Plenty of people have posted on The Register with information regarding a news story and have gone anonymous because they work for them or used to work for them.

        For such a basic and simple thing The Register cannot criticise anyone over poor security when it comes to certificates.

        1. John H Woods Silver badge

          Re: El Reg doesn't even offer https connectivity

          "Plenty of people have posted on The Register with information regarding a news story and have gone anonymous because they work for them or used to work for them."

          Not only that but The Register has become a focus for those of us who are against the surveillance dragnet. My name's already on the list, obviously (although I strongly support the *targetted* work done by our intelligence services), but as the net closes in, forums like this will need stronger protection.

        2. NotArghGeeCee

          Re: El Reg doesn't even offer https connectivity

          "...Plenty of people have posted on The Register with information regarding a news story and have gone anonymous because they work for them or used to work for them...."

          Well I hope they weren't logged in at the time they went "Anonymous" because if they did those alleged "Anonymous" posts show up in your "My Posts" timeline. That's about as anonymous as a see-through burka

      4. Mark 85
        Coat

        Re: El Reg doesn't even offer https connectivity

        "What sensitive information is passing between you and Reg Towers ?"

        Why.. our comments, of course. Think of the children who might want to read these someday.

        OK... seriously.. login etc.

    2. This post has been deleted by its author

    3. gnasher729 Silver badge

      It's not nonsense. Not getting reliable confirmation who you are connecting to means exactly that although the traffic is encrypted, the receiver of the message can read it, and you don't know who that is!.

      You don't have a secure means to connect to the site if there is nothing that guarantees you are connecting to the site and nobody else. And what happened is exactly what criminal hackers you can't provide a legitimate certificate would do: They provide one that isn't quite right and hope that you continue.

      It would be great if all the browser manufacturers entered an agreement to just not accept such certificates. Put up a display with the most severe warning, and with no way to continue.

    4. Yet Another Anonymous coward Silver badge

      So you would say that was secure would you ?

      Please put a few 1000 quid in an envelope and send it to "Mr Inland R Evenue, 1 Railway cuttings, London" but remember to send it by G4S so it is secure.

  3. Afernie
    Trollface

    Gearing up for Cameron's encryption-free UK?

    I guess they let it lapse because apparently, only criminals use encryption.

  4. DrXym

    Cobblers

    An expired cert means exactly that - an expired cert. While it's certainly a mistake to have allowed it to happen, it doesn't make a site any less or more secure than it was before. The cert is the same, it's just expired and that throws up a warning in a browser that says something to that effect.

    The danger is not that some hackers will replace the real site without anyone noticing but that the extra warning that people have to confirm and click through might deter someone from reporting a crime.

    So in that sense it's bad. Because the cops forgot to pay their "security tax" on time, real crime might go unreported. It also demonstrates why CA signing and short cert expiration is such a bad idea to begin with. Buying a new cert doesn't make the site more secure - it just makes the scary popup go away.

    1. Afernie
      Facepalm

      Re: Cobblers

      You are incorrect. Invalid SSL certificates (irrespective of the reason that they are invalid, such as expiration) can and do facilitate seamless MITM attacks, and leaving them expired is suicidally stupid.

      1. Paul Mitchell

        Re: Cobblers

        The fact that the certificate has expired today does not make it any less secure than it was yesterday.

        The expiry date is simply an arbitrary vaule applied by the CA calculated on the basis of how much money you are willing to pony up. It has nothing to do with security per se.

        There may well be perfectly good reasons to regularly update your certificates, but the calendar rolling over isn't one of them.

        1. TeeCee Gold badge
          Meh

          Re: Cobblers

          Yup, the only reason you even notice is that certain browsers kick up a stink about. As for risk of compromise increases over time, I'd have thought that the efforts of miscreants would be more likely focussed on shiny, new certs where there's more milage in the exploit.

          Not too long ago this particular error would be ignored for the irrelevance it is. While the fuss made now is in theory correct, in practice it comes up so often it merely encourages reflex clicking through SSL errors. A Very Bad Thing Indeed.

      2. DrXym

        Re: Cobblers

        "You are incorrect. Invalid SSL certificates (irrespective of the reason that they are invalid, such as expiration) can and do facilitate seamless MITM attacks, and leaving them expired is suicidally stupid."

        Don't be silly. The cert is still signed, it's just expired. The risk is the astronomically small chance that someone might have used the extra few days to crack the key in some manner to impersonate it and the much larger risk that someone reporting a crime might be detered by a scary dialog box in the browser..

        Certificate expiration and CA signing is simply a protection racket. If the Met had created their own cert with an expiration 30 years from now and had it signed by government departments, Scotland Yard, and various other courts, police forces etc. it would have been a far more trustworthy token of the site's authenticity. But they can't do that because CA based SSL certs are broken by design for the enrichment of the companies that issue them.

        And here we see a real world potential consequence of that racket.

        1. Afernie
          Thumb Down

          Re: Cobblers

          "The cert is still signed, it's just expired. The risk is the astronomically small chance that someone might have used the extra few days to crack the key"

          You have missed the point.

          One possible scenario:

          1) A site with a sizeable number of users leaves its certificate expired for a significant period of time.

          2) A sizeable percentage of those users will not proceed beyond the browser warning, but many more will add the site to their browser exception list, and proceed on to the site.

          3) After hours/days/weeks/whatever, a MITM attack is carried out, redirecting the site to an attack site with an invalid certificate and the same domain. As long as the site name is the same, the browser exception will allow the invalid certificate, and the user will not be warned of the deception. Pain, compromise, and malware will then follow.

          There's no cracking of SSL certificates involved, because there does not need to be. Moaning (rightly or wrongly) about how much certificates cost and how it's all a racket is completely irrelevant with regard to the risk of allowing expiry; if you use a certificate to protect customer data or process financial transactions and you willfully allow that certificate to expire you should expect that major legal and financial trouble may be on its way.

  5. Anonymous Coward
    Anonymous Coward

    Username and password

    well, if mine were lost, all I lose is my El Reg account. Nothing else.

    1. Anonymous Coward
      Anonymous Coward

      Re: Username and password

      Back in my student days, the secretary of the junior common room got bored and ceased answering comments and complaints in the Whinge Book. I found I was able to imitate his signature, and put in some outrageous replies. Someone must have then spoken to him, because real replies started to appear, for the first time in yonks

      So someone who imitates you can trash your reputation.

      1. Anonymous Coward
        Anonymous Coward

        Re: Username and password

        So someone who imitates you can trash your reputation.

        Not worried - few can match my own efforts in that respect. :)

  6. Anonymous Coward
    Anonymous Coward

    as always, it's the implications

    whenever SNAFUs like this happen, there's always a cabal of people (usually with vested interests) that condescend with "it's not like the end of the world".

    True, it isn't. However, it does reveal the lack of process and oversight behind the operation. If it's just El Reg, hardly a worry. More worrying if it's a bank. And very worrying if its men with guns with a proven track record of murdering innocent civilians.

    Their SSL cert may be borked, I bet their pensions aren't.

  7. Anonymous Coward
    Anonymous Coward

    The Register contacted the Metropolitan Police for comment but none was forthcoming

    Let me guess, you went to ask at a police station, only to be find out it's closed,

  8. Stuart 22

    Missing the point

    So i have some crime busting information or just want to look up who to contact?

    As a geek I'll examine the certificate come to the same conclusion as El Reg and accept the warning and continue as normal. No problem. Meanwhile my well trained partner and 99% of humanity would see the danger warning and obey - retreating and not use the website for its purpose. That's the issue the Met has stuffed one of its lines of information - a less serious issue then losing the switchboard. It should be a lot simpler to fix. They could get a Class 1 certificate up in minutes to clear the site warnings while the culprit gets the extended validation jobby sorted before falling down the stairs - oops!

  9. Alistair
    Coat

    I'll allow the screaming sarcasm on the part of the Register's author

    Simply because it mirrors the screaming and wailing that all the security services out there are producing about us reasonably intelligent technology users having access to reasonably decent encryption to protect our data.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'll allow the screaming sarcasm on the part of the Register's author

      You may be OK with the screeching, but it's kinda irritating reading the whole spiel letting me how certs work and why that may be a problem. That's places most of the content (including the tone) at Daily Mail level. If that is what it takes to write the body of the article it means there is really no news at all.

      From a risk perspective, an MITM attack is still possible with a valid cert (of 100 users I reckon 98 will just click through the browser warning, and the 2 that do check will OK it if the domain name looks vaguely OK) so I really can't buy into the "sky is falling" message either for the two days that this exposure exists. Except for a slightly less visible MITM attack the traffic is still encrypted in transport.

  10. Colin Miller

    They seem to have installed a new certificate, which was issued on 8th January 2015, and will expire on 1 April 2016. They are also using mixed https/http, which causes a warning flag (but not a direct message) in firefox.

  11. Anonymous Coward
    Anonymous Coward

    The Register contacted the Metropolitan Police for comment but none was forthcoming

    You're being too harsh, I say. Presumably they've gone on lunch. Or home altogether.

  12. Sarah Balfour

    I don't know whether this'll post, but…

    I use an app called News360 for reading El Reg (and a few other blogs) and, when I attempted to post a comment on an article this morning, instead of the usual "your comment will be updated shortly…" banner, I was taken to a page with "Sorry, you're blocked!", in big, bold type, followed by some blurb about something called CloudFlare, a code, and my IP. Being autistic, and not understanding what the feck any of this meant, I began to rack my brain (or whatever passes for it these days) trying to figure out what on Earth I could POSSIBLY have said to get myself banned (this is literally the only forum, of those to which I've posted, from which I've yet to be excluded).

    I then accessed the site via Safari, and did a test post (think it was on the Barry Obama article if memory serves, remove it) and that posted fine. I'm back reading via News360 again (hence the header). I've a screenshot of the offending page, if it'd be useful to anyone.

    If I am barred from posting, it'd be good to know why, and why I've never received any communication from The Vultures' Nest (do vultures build nests…? I assume they do) as to why and, besides, you're usually allowed a couple of transgressions before the door's slammed on yer arse! Have I REALLY upset folk round here that much that I don't even merit a single warning…?! If I have, well I have, I can't help being how I am, I'd explain why, but it's too fantastic to be believable.

    I'm feeling extremely low at the minute and, when I get like this, what little understanding I have of the world deserts me and, frankly, it's fucking terrifying; my grip on reality is tenuous enough when my head's functioning (well for any value of functioning, any road) but, right now…? Right now, I'm shit fucking scared of my own shadow.

    If I've upset anyone, I'm GENUINELY SORRY, I won't have meant to, I NEVER mean to (unless you're a homophobic EDL-type then, yes, I most certainly DO, but I've yet to come across anyone matching that description here).

    Guess, if I HAVE been banned, this won't post…

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: I don't know whether this'll post, but…

      Guess, if I HAVE been banned, this won't post…

      Relax, it works. Rule 1 of any problem: mistrust the technology, not yourself. As I have seen here over the fairly long time I have been reading El Reg you must be pushing it pretty far and hard before you get slapped with a mega ban - and you will get plenty warning before.

      I suspect the problem lies with CloudFlare, not with El Reg.

    3. Anonymous Coward
      Anonymous Coward

      Re: I don't know whether this'll post, but…

      More than likely this News360 app you're using (I haven't looked into it) is routing requests through their servers with a limited IP range. So if 50 users read El'Reg using News360, all 50 of those requests could be coming from a small IP range, CloudFlare may treat that IP range as malicious (i.e. identifies it as a DDoS) and blocks the requests.

      That is my highly speculative theory anyway.

  13. crayon

    "As your login is sent in plain text any of your company admins could capture your login details (many IDS will automatically alert the sysadmin of unsecured passwords being used). Now all your anonymous posts that have been sent that might have criticised a colleague or boss or your company's working practices are now available to blackmail you with or get you fired."

    Wouldn't it be a courtesy not to use your company resources to badmouth them on a public forum?

  14. Anonymous Coward
    Anonymous Coward

    Wouldn't it be a courtesy not to use your company resources to badmouth them on a public forum?

    Given that someone probably already has a damaged relationship with their company when they do this I reckon that actually becomes the fun part. Not for long, though, especially not if they identify the individual in question.

  15. Trainee grumpy old ****
    Big Brother

    The Register contacted the Metropolitan Police for comment but none was forthcoming.

    Don't worry, they'll probably break down your door at 5 a.m. and arrest you for "hacking".

    Some years ago this comment wouldn't have come to mind or, if it did, I would have used the joke icon; but now this one will have to do until we get a Kafka one.

  16. Anonymous Coward
    Anonymous Coward

    Outsourced service

    Like many public services I guess this is outsourced to a private contractor.

    Who therefore has contractual responsibility for maintaining valid SSL certificates and why has this fail occured?

    The logical extension of this is why are taxpayers funds being pocketed by a provider who cannot provide the basics.

    Meh.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like