Tories left Red-Faced After HTTPS Gaffe
UK Prime Minister, Theresa May, saw her major Cabinet reshuffle overshadowed yesterday after the governing Conservative Party seemingly allowed its SSL certificate to expire.
Visitors to the Tory Party’s website were greeted with browser-based warnings such as: “Your connection is not private. Attackers might be trying to steal your information from www.conservatives.com (for example, passwords, messages or credit cards).”
The security alert was the result of a basic IT admin error: allowing the political party’s SSL certificate to expire so that it could no longer guarantee a secure HTTPS connection for users.
HTTPS is fast becoming the de facto standard for websites, thanks in part to tools such as Let’s Encrypt and HTTPS Everywhere, which allow web managers to switch to the more secure protocol for free.
The percentage of web pages loaded by Firefox using HTTPS stood at over two-thirds (67%) as of January 2018 — that’s over 63 million active certificates.
The UK government issued an order in autumn 2016 mandating all departments switch to the more secure protocol from October 1 that year.
However, cyber-criminals have also been making use of such tools to help hide malware from security filters. A report from 2016 claimed that almost half of all cyber-attacks in the preceding 12 months made use of malware hidden in encrypted traffic.
The Conservative Party’s IT-related woes didn’t end with the HTTPS gaffe yesterday: it was left further embarrassed after an official tweet was posted congratulating new chairman, Chris Grayling.
There was just one problem with the tweet: Grayling wasn’t appointed the party’s new chairman at all, that job went to former immigration minister Brandon Lewis.
The tweet was swiftly deleted, and the party's SSL certificate has now been renewed.
However, the mistake didn’t go unnoticed on Twitter, where eagle-eyed commentators voiced their views.
This post from journalist Solomon Hughes is typical:
“Conservative Website is down because they forgot to do an IT update. Because they didn't update, the Conservative Party can't communicate.”
Source: Information Security Magazine