UK’s Conservative Party Feels the Heat After Failing to Renew its Website Security Certificate
While the world had its eyes on Theresa May’s cabinet reshuffle, the UK Conservative Party’s website grabbed the attention of the techie community. The reason behind this was the conservatives’ failure to renew their site’s SSL/TLS certificate – the certificate responsible for the connection security of a website.
As a result, the website went down for hours.
This issue came to attention yesterday when any attempts to visit the website (https://www.conservatives.com/) resulted in a warning that said “Your connection is not private. Attackers might be trying to steal your information from www.conservatives.com (for example, passwords, messages or credit cards).”
This warning led to inevitable social media reactions (there really is no escaping them!). Here’s one tweet that went viral:
In the most appropriate possible metaphor for the party’s failure to grasp 21st-century campaigning, the Conservative website is down, apparently because they’ve failed to upgrade to HTTPS pic.twitter.com/iSHNST91lS
— Robert Colvile (@rcolvile) January 8, 2018
Ultimately, the Conservative Party noticed this and took its website down for a few hours to avoid any potential disasters. After some time, the website came back online with a new certificate, but the damage was already done.
Perhaps the most ironic part of this is that the Conservative party’s own Amber Rudd, Home Secretary, recently made waves when she said she would “combat” encryption on the premise that it provides a helpful environment for criminals. Upon being pressed, Rudd then admitted she doesn’t understand how encryption works.
Maybe this would be a good opportunity for her to learn.
If you let your SSL certificate expire, you have only yourself to blame
Often an ignored part of the SSL certificate process is its renewal. Many people either aren’t aware or just take it for granted believing that an SSL certificate will serve them for the rest of their life. Well, they don’t. For safety purposes, SSL certificates MUST be renewed after a specific time frame (if you want to know why SSL certificates expire, here’s an excellent post for you). Unfortunately, the technical team for the UK conservative party ignored that fact.
I’m deliberately using the word ‘ignored’ because there should have been many instances where the certificate authority, as well as the certificate provider, would have reminded them that their certificate was about to expire. In fact, standard practice is to notify at 90, 30, 15, 7, 3 and 1 day before expiration. We know this because our parent company, as an SSL certificate provider, sends out notifications along these exact timelines.
By allowing the certificate to expire, the UK Conservative party also loses any benefits that come from renewing, namely the ability to skip certain steps to expedite validation. You never want to wait until the last minute to purchase or renew an SSL certificate, give yourself a day or two just in case anything goes sideways. Again, you’ll know when your certificate is about to expire. Even if you’re not tracking the date on your own, you’ll be notified.
So, use this as a cautionary tale. If you somehow manage to ignore all of these e-mails, you have only yourself to blame!