Whoops, the Conservative Party Lets its Website Security Certificate Expire
UK’s Conservative Party Feels the Heat After Failing to Renew its Website Security Certificate
While the world had its eyes on Theresa May’s cabinet reshuffle, the UK Conservative Party’s website grabbed the attention of the techie community. The reason behind this was the conservatives’ failure to renew their site’s SSL/TLS certificate – the certificate responsible for the connection security of a website.
As a result, the website went down for hours.
This issue came to attention yesterday when any attempts to visit the website (https://www.conservatives.com/) resulted in a warning that said “Your connection is not private. Attackers might be trying to steal your information from www.conservatives.com (for example, passwords, messages or credit cards).”
This warning led to inevitable social media reactions (there really is no escaping them!). Here’s one tweet that went viral:
In the most appropriate possible metaphor for the party’s failure to grasp 21st-century campaigning, the Conservative website is down, apparently because they’ve failed to upgrade to HTTPS pic.twitter.com/iSHNST91lS
— Robert Colvile (@rcolvile) January 8, 2018
Ultimately, the Conservative Party noticed this and took its website down for a few hours to avoid any potential disasters. After some time, the website came back online with a new certificate, but the damage was already done.
Perhaps the most ironic part of this is that the Conservative party’s own Amber Rudd, Home Secretary, recently made waves when she said she would “combat” encryption on the premise that it provides a helpful environment for criminals. Upon being pressed, Rudd then admitted she doesn’t understand how encryption works.
Maybe this would be a good opportunity for her to learn.
If you let your SSL certificate expire, you have only yourself to blame
Often an ignored part of the SSL certificate process is its renewal. Many people either aren’t aware or just take it for granted believing that an SSL certificate will serve them for the rest of their life. Well, they don’t. For safety purposes, SSL certificates MUST be renewed after a specific time frame (if you want to know why SSL certificates expire, here’s an excellent post for you). Unfortunately, the technical team for the UK conservative party ignored that fact.
I’m deliberately using the word ‘ignored’ because there should have been many instances where the certificate authority, as well as the certificate provider, would have reminded them that their certificate was about to expire. In fact, standard practice is to notify at 90, 30, 15, 7, 3 and 1 day before expiration. We know this because our parent company, as an SSL certificate provider, sends out notifications along these exact timelines.
By allowing the certificate to expire, the UK Conservative party also loses any benefits that come from renewing, namely the ability to skip certain steps to expedite validation. You never want to wait until the last minute to purchase or renew an SSL certificate, give yourself a day or two just in case anything goes sideways. Again, you’ll know when your certificate is about to expire. Even if you’re not tracking the date on your own, you’ll be notified.
So, use this as a cautionary tale. If you somehow manage to ignore all of these e-mails, you have only yourself to blame!
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown