back to article HTTPS crypto-shame: TV Licensing website pulled offline

The UK's TV Licensing agency has taken its website offline "as a precaution" after being blasted for running transactional pages that were not sent over HTTPS. The publicly funded outfit had been criticised for inviting folk to submit sensitive data over unencrypted links. Just a few hours after proclaiming "we will soon …

Page:

  1. JimmyPage Silver badge
    Facepalm

    redirecting HTTP to HTTPS

    Isn't this the sort of thing a first year Comp Sci graduate used to be able to do ?

    1. Alister Silver badge

      Re: redirecting HTTP to HTTPS

      In my experience, the current crop of Comp Sci graduates wouldn't have a fucking clue how to do this, nor why they should...

    2. Teiwaz Silver badge

      Re: redirecting HTTP to HTTPS

      Comp Sci awards the degree in the first year now?

      I have heard mutterings about Degrees getting easier (and reduced the length of course while probably increasing the fees), but this seems like drastic short-cutting to me.

      1. FlamingDeath Bronze badge

        Re: redirecting HTTP to HTTPS

        Well, from my observation many of the university types do certainly think that once they completed their degree, that the learning is done and finished, and they can then start looking down their noses at us other self-educated types who didn't pay £9k PA for a "rarely present tutor" and are interested enough in the subject to be motivated to self-learn

        I guess the overpriced degrees in university, breeds a kind of hubristic elitism

        A bit like when people buy an overpriced product, and they wrongly equate high price with high quality

        “The good work for all education is interest. Until there is interest there is no response"

        1. ZenCoder
          Pint

          Re: redirecting HTTP to HTTPS

          Well, from my observation many of the university types do certainly think that once they completed their degree, that the learning is done and finished, and they can then start looking down their noses at us other self-educated types

          My Computer Science and Engineering Degree taught zero practical skills ... instead I learned the scientific and theoretical knowledge that would prepare me for a lifetime of self-learning.

          Also here is at least one "University Type" that respects anyone who has the skills necessary for the job no matter how they acquired them.

          Regrettably I also worked with far too few people with skills and no degree and far too many with degrees with no skills, not to mention the 3rd year transfer students with 3.5+ GPA who literally could not complete a single lab assignment without cheating.

          So instead of a downvote ... you get a beer.

          1. Anonymous Coward
            Anonymous Coward

            Re: My Computer Science and Engineering Degree taught zero practical skills

            Mine wasn't as "impractical" as that (although the programming that we did do, did perhaps focus a little too much on near-metal-banging (pointers, malloc, etc) in C, which are things I have never needed to worry about since, as they are dealt with lower down the software stack (although I certainly do acknowledge that we do need at least some people with those skills in order to write, and optimise, those lower parts of the stack).

            But, unfortuntately, much of the "theoretical stuff" mainly seemed to be indulgence of the academics' pet areas of research, and rarely anything which gets any real-world use (eg, lambda calculus) or was more than a passing fad (at least a couple of unpleasant courses whose content I have now entirely forgotten).

            To be perfectly honest, I think I have learned far more from the web (yes, including various Wikimedia sites, with pinches of salt duly applied), forums, well-written official documentation (yes, it does sometimes exist!), and the O'Reilly menagerie, than I ever did from my first university degree.

            The university undergrad experience should really be more about a love of learning in general, learning how to transition into an adult, making new friends and networks, undertaking new experiences, and broadening your worldview.

            Unfortunately, coming from a deathly-uninspiring smalltown background, after many years of teachers' strikes (where the teachers' "work to rule" neglected the unwritten part of their mission to help their students grow and blossom as well, unfairly hurting those who had no part in their battle), and then to a university that turned out to be rather more homogenous in its student cohort than the prospectus had implied (so that most of us had all had the same stunted childhoods (but of course were unable to realise that at the time)), meant that it wasn't quite the full experience that it should have been.

            1. Claptrap314 Bronze badge

              Re: My Computer Science and Engineering Degree taught zero practical skills

              You speak like you expected/intended your education to be something that someone else gave you (at school), or perhaps a one-and-done sort of thing? How sad.

              I learned more science by reading the 500 & 600 section and subscribing to Scientific American & National Geographic (back when they were useful) than there was ever hope for me to have learned in the thin slice of time listening to someone try to explain things they themselves barely understood in K-12.

              As the previous poster mentioned, the critical skills that are needed are not "practical" (and don't go on a resume').

              1) The ability to learn new skills. The world is changing, you must keep up. I have literally had my job description completely rewritten between when I accepted the offer and when I showed up the first day.

              2) The ability to recognize your own blind spots. The "unknown unknowns" are what kill us. Overcome Dunning-Kruger or be stuck being the one others clean up after.

              3) Diligence. No matter how many layers we put between you and the bare metal, there will be tasks that are fundamentally repetitive and non-scriptable. (Think about writing good tests.) Disciplining yourself to doing it right every time.

              Yeah, I was a hardass to my calculus students.

    3. katrinab Silver badge

      Re: redirecting HTTP to HTTPS

      If you are using IIS, it is a box you tick in the control panel. On Apache, it is a very simple addition to the configuration file.

    4. NonSSL-Login

      Re: redirecting HTTP to HTTPS

      Searched for the Beefeater site yesterday and google gave a http link which didn't redirect to https once on it which I thought was odd for this day and age.

      To view a menu it wanted my postscode and while it's not the end of the earth for that to be sniffed, it felt too dirty to post it over http so I had to manually change it to https.

      My name was a good few years of nagging at el register to https up and it took google to start giving horrible chrome messages and lower search engine ranks to http site before it was changed. Anyone company not using https now should be considered lazy and not fully competent imo.

  2. Anonymous Coward
    Anonymous Coward

    only 9 months?

    Someone check the Wayback machine. I'd bet its never been secure (i.e. http always preferred over https).

    1. Anonymous Coward
      Anonymous Coward

      Re: only 9 months?

      "Someone check the Wayback machine" - we've got a fully delegating manager type here folks. Don't see many of your sort round these parts.

    2. Anonymous Coward
      Anonymous Coward

      Re: Someone check the Wayback machine.

      There's an app for that.

      If that task is not in the existing contract, it'll cost you extra (and if it was in the contract, it's already cost the taxpayer far too much).

  3. DJV Silver badge

    "We take security very seriously"

    That's right, keep parrotting that obvious bullshit out! Sigh....

  4. Snivelling Wretch

    TV Licensing is run by Capita; 'nuff said.

    1. wallaby

      "TV Licensing is run by Capita; 'nuff said."

      And we are forced by our government to use them or face a fine !!!!

      The joys of privatisation

    2. Chris Hills

      Kind of, Capita gets the majority of the work but there are other contractors. I presume the BBC is responsible for the infrastructure?

      1. Angry IT Monkey

        Capita provide the secure payments side, I believe IBM host the rest.

        Yes, I feel dirty defending Capita!

        1. Teiwaz Silver badge

          Capita provide the secure payments side, I believe IBM host the rest.

          Yes, I feel dirty defending Capita!

          Well, there's the reason then. Nobody left who has a clue at IBM?

          1. Anonymous Coward
            Anonymous Coward

            There are plenty of people left at IBM who have a clue. They just no longer care.

          2. Anonymous Coward
            Anonymous Coward

            "Nobody left who has a clue at IBM?"

            It's a chargeable item that, definitely not included in the contract that the customer signed....

      2. Doctor Syntax Silver badge

        "I presume the BBC is responsible for the infrastructure?"

        Why would they be?

        1. Alan Brown Silver badge

          >> "I presume the BBC is responsible for the infrastructure?"

          > Why would they be?

          Because TV Licensing _limited_ - the privately owned company which is responsible for actually collecting TV licence fees - is a wholly owned subsidiary of the BBC which then contracts operations out to Crapita and IBM.

          It's a nice incestuous little circle jerk when you start digging into it.

          1. An ominous cow heard

            Re: when you start digging into it.

            "Because TV Licensing _limited_ - the privately owned company which is responsible for actually collecting TV licence fees - is a wholly owned subsidiary of the BBC which then contracts operations out to Crapita and IBM.

            That's not quite how it works, according to published information. Maybe your description is equivalent, maybe no one has challenged it for the last few years, but here's an extract from an official description:

            https://www.tvlicensing.co.uk/about/who-we-are-AB4

            " 'TV Licensing' is a trade mark of the BBC and is used under licence by companies contracted by the BBC to administer the collection of the television licence fee and enforcement of the television licensing system.

            The BBC is a public authority in respect of its television licensing functions and retains overall responsibility.

            Responsibilities of TV Licensing contracted companies

            Capita Business Services Ltd Administration and enforcement of the TV Licence fee.

            PayPoint Plc Over-the-counter payment services in the UK mainland and in Northern Ireland.

            [continues]"

            If there was an actual "TV Licensing Limited" I would expect to see evidence somewhere (ultimately, official records at Companies House. Have you got any?

            The big-picture concept of contracting this stuff (collection AND enforcement) out to organisations like Crapita and friends still stinks. As it often does elsewhere. But sometimes details matter, as well as the big picture.

    3. FlamingDeath Bronze badge
      Facepalm

      Fucking Crapita

      Who knew

      1. Anonymous Coward
        Anonymous Coward

        Why wasn't it mentioned in the article that Capita run this? Come on El Reg. It's kind of relevant. I know it's Friday but you haven't even been to the pub yet (I assume).

  5. chroot

    HTTPS by default?

    Now that Chrome makes it alarming to visit any HTTP site, why doesn't it just try HTTPS first? HTTP can be an optional fallback with an informative/alarming notice.

    1. Anonymous Coward
      Anonymous Coward

      Re: HTTPS by default?

      Because some people may want to visit the http version of a site - for testing purposes for instance or the https version of the site may be an entirely different site altogether or a security or certificate problem may mean the https version is down while the http version is up etc etc.

      Having a third party decide that it is going to disregard your wishes and the site owner's wishes is not a great solution - they'll be removing parts of the url completely next.

      Maybe a popup to say there is a secure version of the site and would you like to visit it?

      Maybe use HTTPS Everywhere extension which will use https?

  6. Dave 15 Silver badge

    scrap tv licence

    Simplest answer

    The BBC is just the governments propaganda machine anyway. Fund from general taxation and cut all the costs out straight off. They have a list of all the houses in the UK without a licence and bombard you with letters and visits demanding that YOU prove to them you dont need a licence with very threatening letters. Frankly better off without any of it.

    BBC can be funded by either:

    a) general taxation

    b) pay per view/subscription like sky

    c) advertising

    d) selling their 'wonderful' programs (mmm... teletubbies, total crud, perhaps by having to sell the programs they might just decide to make programs worth the effort????)

    The tv licence model is broken, out of date and ridiculous, like most other government taxation.

    Long over due to move to a single tax and single benefit system so we can really understand just how much we are being screwed by the government of the day.

    1. Big John Silver badge

      Re: scrap tv licence

      > "The tv licence model is broken..."

      No it isn't. Governments usually love to force propaganda on their citizens, and making them pay for it too just makes the operation that much sweeter.

    2. FlamingDeath Bronze badge

      Re: scrap tv licence

      No idea why you have so many downvotes.

      The BBC are happy enough to pay Gary Lineker, Chris Evans and Graham Norton, a ridiculous sum of cash for what is questionable talent.

      If anybody has seen Idiocracy, it should be fairly obvious why TV is the way it is

      Love Island?

      Big Brother?

      Celebrity get me out of here?

      If these programs are not the result of an ever increasingly stupid population, I dont know what it

      1. Anonymous Coward
        Anonymous Coward

        Re: scrap tv licence

        Not giving the BBC a carte blanche defence, but if you're going to criticise them, it doesn't help to back up the attack with...

        > Love Island?

        ITV

        > Big Brother?

        Formerly Channel 4, now Channel 5

        > Celebrity get me out of here?

        ITV

        (Just to clarify for readers outside the UK- none of those are BBC stations).

    3. Alan Brown Silver badge

      Re: scrap tv licence

      "scrap tv licence

      Simplest answer"

      Yes, but not for the reasons you're pushing.

      Radio licensing was scrapped in the late 1960s for the simple reason that with the advent of transistorisation there were too many radio sets to keep track of and the licensing income wasn't worth the hassle. TV licensing was kept because TV sets were large, cumbersome and easy to track.

      Times and technology have changed and now TV sets are as ubiquitous as radio sets were at the time their licenses were scrapped.

      The assumption since the 1970s has been that "every house has a TV set and every one without a license is a dodger" - with "TV detector vans" mainly being minibusses and the "detectors" being people looking for aerials or the telltale signs of a TV in use (flickering lights and the warbling sounds of coronation street coming from premises which supposedly had no TV)

      You'll notice that receiver licensing is no longer a radio regulatory job: that should give a big hint as to its actual necessity.

  7. Aladdin Sane Silver badge
    Mushroom

    We take security very seriously

    Lies.

    1. 0laf Silver badge
      Thumb Up

      Re: We take security very seriously

      "We take our security very seriously, we don't give a fuck about yours.... unless the ICO is knocking on the door"

      FTFY

    2. Anonymous Coward
      Anonymous Coward

      Re: We take security very seriously

      *We take security very seriously

      The cheques in the post

      The dog ate my homework.

      Of course I love you.

      I promise I wont cum in your mouth.

      *Added to the list of the greatest lies ever told.

      1. Alister Silver badge

        Re: We take security very seriously

        You forgot:

        It's not you, it's me.

      2. Fred Dibnah

        Re: We take security very seriously

        And:

        I'm just out for a swift half.

        1. Kane Silver badge

          Re: We take security very seriously

          And:

          It's only the tip.

      3. Nano nano

        Re: We take security very seriously

        £350m a week for the NHS ...

        1. Wincerind

          Re: We take security very seriously

          @Nano nano "£350m a week for the NHS ..."

          Oh do give it a rest.

    3. Anonymous Coward
      Anonymous Coward

      Re: We "will briefly" take security very seriously

      Corrected for you...

      1. Nano nano

        Re: We "will briefly" take security very seriously

        Momentarily ...

  8. Loyal Commenter Silver badge

    we're not aware of anyone's data being compromised.

    Well, if you're not using HTTPS, you wouldn't be aware of it, almost by design. Not being aware of the man-in-the-middle doesn't mean he isn't there. All it takes is a poisoned DNS server, redirecting requests to a proxy, and someone can be listening in on all the unsecured connections for any domain that DNS server is serving up the address for.

    1. NonSSL-Login

      Or just someone on the same wifi network running wireshark or other tools. Requires catching the initial handshake but easy enough to disconnect a client and force it to reconnect to catch it.

    2. Alan Brown Silver badge

      "Well, if you're not using HTTPS, you wouldn't be aware of it, almost by design."

      It would be "very good" if the ICO (or the EU privacy oversight watchdogs) declare that it's a prima facie data breach to use http for ANY kind of entry of personal data, regardless of provable data breach - and if there is a subsequent data breach then failure to use https adds a multiplier to the fines.

  9. Anonymous Coward
    Anonymous Coward

    Airline / Travel HTTP Crimes

    Anyone noticed HTTP / HTTPS breaking while trying to Check-In online or when Printing a Boarding Pass? You're taken to the Parent-Airline site first to authenticate (HTTPS). But then they send you to the Subsidiary-Airline site (the airline you're actually flying with), to enter Passport and other personal details before issuing the final boarding pass.

    That can even just be a random 3rd-Party site (again over HTTP only).... WTF airlines? Get your sht together! The only solution is hold off / don't use it, wait in line at the airport. Might be better anyway, as the amount of server-side user tracking its already toxic:

    -

    Emirates / Lufthansa dinged for slipshod online data privacy practices

    https://www.theregister.co.uk/2018/03/05/emirates_dinged_for_slipshod_privacy_practices/

    1. Alan Brown Silver badge

      Re: Airline / Travel HTTP Crimes

      "That can even just be a random 3rd-Party site (again over HTTP only)"

      Any of this is grounds for a complaint to the ICO and making sure that El Reg (amongst others) has enough detail to make it impossible for the airlines to brush off or the government numpties to sweep under the carpet.

  10. tallenglish

    Yet another Crapita cockup

    This is what happens when you don't pay your empoyees half enough or care about them, haven't a clue about what your selling or care about the security of your clients.

    Bet the details are stored in some plaintext file on the server too.

  11. intrigid

    TV licensing agency

    Paying the government for the privilege of owning a magic picture device? The whole HTTP privacy debacle should be an afterthought. You brits should hang your heads in shame for allowing such a ridiculous bureaucracy to exist in the first place.

    1. Anonymous Coward
      Anonymous Coward

      Re: TV licensing agency

      Don't criticise someone else's crappy government until you've cleaned up & decrapified your own. Those whom live in glass houses shouldn't throw stones.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019