Leading by example: UK.gov's secure server setup is patchy at best

The security of UK government websites is inconsistent, and local authorities are among the worst offenders.

Ministers have for years spoken about making the UK "one of the most secure places in the world to do business in cyberspace", one component of which is making government services available online.

The government also promotes the secure server setup best practice, not least through a handy guide published by the National Cyber Security Centre here.

El Reg recently reported how one key e-government service (renewing driving licences online) was not as secure as it ought to be because of the use of weak ciphers and an improperly installed digital certificate, among other issues.

The issues meant reader Andy was unable to access the Driver and Vehicle Licensing Agency (DVLA) site using either FireFox or a Samsung S7 browser. In response, the DVLA said the "security certificates of all of our websites meet industry standards", a response our tipster and security experts including Paul Moore said missed the point that the certificate was installed incorrectly.

Andy concluded that there was still a problem with the site despite some recent improvements that brought the rating of the site by Qualys SSL Labs up from a failing "F" to a "B".

The security headers rating for the Passport Service site is still only a "D".

Last week Moore had needed to use the passport service's site to track a passport application. He discovered on Monday that the cert for the site – https://www.gov.uk/track-passport-application – wasn't installed correctly and wouldn't load on a Galaxy S8's browser, causing errors as a result.

Soon after Moore publicly complained about the issue, and El Reg began asking its own questions, the security of the passport service tracking website was improved to achieve an A+ rating. This is a good thing and the timing might all be a coincidence. The passport service has yet to respond to a request for comment so we can't say either way.

The two cases prompted us to take a wider look at the security of UK.gov SSL servers in general, which some experts reckon is generally lamentable.

"The sheer amount of .gov sites which are either broken, misconfigured or insecure is shocking," Moore told El Reg.

We began looking at a sample of central government websites. Websites run by tax collectors at HM Revenue & Customs and related to the Department for Work and Pensions' oft-criticised Universal Benefits service, it turns out, are both securely set up.

Moneyclaim.gov.uk – a site for submitting or defending a small claim – got a failing "F" grade last Monday before improving to achieve a "C" grade by Tuesday.

"MCOL isn't the worst I've seen, but certainly could benefit from an upgrade," Moore remarked.

An inconsistent picture for central government SSL servers was developing.

"Some departments manage it internally, others outsource," Moore said. "Many are services through http://gov.uk which scores very well. Some haven't transitioned fully, so rely on old and outdated services."

The picture when it comes to local government SSL servers is far bleaker.

One site – https://www.birmingham.gov.uk/pcn – run by Birmingham City Council and designed to allow motorists to pay their penalty charge notices, "isn't even PCI compliant," Moore observed. "I'm struggling to find *any* site at @BhamCityCouncil which is actually secure," he added.

The site scored a failing "F" grade when accessed using Qualys SSL Labs server testing tool. The site's certificate setup and configuration were found to be inadequate. El Reg raised this as an issue with the council but we've yet to hear back.

Supposedly "secure sites" run by West Sussex County Council and the council of the Lancashire town of Wigan were also anything but.

All of this matters because failure to get it right with a site's HTTPS certificate and server settings for encrypting traffic leaves people's personal information at risk of interception. More immediately, using badly set up sites is likely to throw up browser errors and warnings that are likely to confound and frustrate citizens.

Even those sites getting an F aren't necessarily exposed to a vulnerability that might be readily exploited, but it does show that they're not taking basic precautions to protect their users. ®