back to article One-quarter of UK police websites lack a secure connection

An alarming proportion of cops’ websites lack any form of automatic secure connection, meaning sensitive data is potentially communicated in plain unencrypted text – according to research. Findings from non-profit body the Centre for Public Safety revealed that almost one-quarter of police sites lack any automatic secure …

  1. frank ly

    Large quality variations

    They don't seem to make any effort to learn from each other or share 'best practice'. Hasn't it always been like this with the police and all forms of local government service?

    1. 0laf

      Re: Large quality variations

      The police are very of the mentality to working within silos. There is little cross communication even within a single service. With the unsurprising result of duplications, missed opportunities, delays and additional costs.

    2. Anonymous Coward
      Anonymous Coward

      Re: Large quality variations

      having 41 separate forces doesn't help! And cost a fortune

      1. Alan Brown Silver badge

        Re: Large quality variations

        It's not just police with this problem.

        There are as many fire services and school departments, with wildly varying degrees of funding and managment ability

        Which leads to wildly varying degrees of quality on a county-by-county basis.

        The idea of regionalising/nationalising these is nice, but the problem is that it's extremely likely that those who end up running the show will be the incompetent trough-snufflers rather than the ones with decent ability.

  2. 's water music

    No HTTPS


    1. Anonymous Coward
      Anonymous Coward

      Re: No HTTPS

      I think that comment is very harsh and unfair.

      To amateurs

    2. Arthur the cat Silver badge

      Re: No HTTPS


      No, it's because HTTPS or any other cryptography = terrorism to the Met.

      I wish I could add a "joke alert" icon to this. The prosecution is probably valid, but the details of the charge are worrying.

    3. Anonymous Coward
      Anonymous Coward

      Re: No HTTPS

      They should go on a register somewhere. Maybe even The Register.

  3. Elmer Phud

    Too busy?

    Have they been too busy snooping on us, to eager to spunk millions over 'anti-terrorist' toys to look after their own house?

    1. TitterYeNot

      Re: Too busy?

      "Have they been too busy snooping on us, to eager to spunk millions over 'anti-terrorist' toys to look after their own house?"

      Yes, it looks like they're too busy intercepting our mobile phone calls to deal with trivial things like 'data security'...

  4. Paul Crawford Silver badge

    Goverment in general?

    How do the police sites compare to the government in general? Of course the police are probably handling more sensitive data, but a lot of gov sites have been crap in my limited experience of using them.

    1. Captain Badmouth
      Thumb Up

      Re: Goverment in general?

      In answer to your question gets an A+ rating from Qualys ssl labs. Article refers to an A rating as the maximum, not according to Qualys it seems.

    2. Anonymous Coward

      Re: Goverment in general?

      Test it yourself here: redirects to https and gets A+ which is very good (and a bit of a pleasant surprise) I note they do not even support SSL v3 at all.

      Now let's try this:

      Hmmm D - more work needed. To be fair most webmasters are aware of the SSL Labs rating, fewer know about the headers thing.

      1. Anonymous Coward
        Anonymous Coward

        Re: tests

        interesting sites. my hospitals website scored an F in the header thing

        1. Anonymous Coward

          Re: tests

          "interesting sites. my hospitals website scored an F in the header thing"

          Many sites do, it is the way of things. Most web server owners concentrate on the SSL rating, hellbent on getting an A or the mystical A+ and are blissfully unaware that things like CSP (which can be hard to do) is even a thing.

          Once you've got an A on both the next step is to get things like mod_security up and running. All without breaking your website/webapp and not restricting too much who can even see it! For PCI-DSS (eventually when they remove the relaxation on the standard) compliance you'll be needing to disallow up to and including TLS 1.0 and that wont work on Exchange OWA running on Win 2008R2 - as so many do. Then you'll need something like HA Proxy to do the dirty work.

      2. Baldy50

        Re: Goverment in general?

        Thanks, very interesting bud.

        On the first one, this site scored an 'A' but an 'F' on the other.

      3. wyatt

        Re: Goverment in general?

        El Reg didn't do too well with the Security Header scan..

  5. Mark Simon

    The fundamental problem …

    The fundamental problem with the Police is that they are run by Government. By and large, Government is stupid, deferring to seniority and popularity rather than expertise. Those who make the important decisions are there because they have been in the right place long enough to impress someone senior with even less knowledge.

    1. 's water music

      Re: The fundamental problem …

      The fundamental problem with the Police is that they are run by Government. By and large, Government is stupid...

      I think you have "government" mixed up with "humans". The private sector just spends longer rolling their turds in glitter.

    2. Kurt Meyer

      Re: The fundamental problem …

      @ Mark Simon

      "The fundamental problem with the Police is that they are run by Government."

      Genuine question.

      Is there an alternative to this fundamental problem?

      I can't think of any alternative that would be acceptable to the majority of the British public.

  6. adam payne

    He said: “It’s 2016. The internet is not new, the cyber security threat is not new, and yet some police forces and their IT providers seem to think it is acceptable to pay large sums of taxpayer money for insecure technology.”

    As long as the money gets paid i'm quite sure that the IT provider doesn't care.

    I would say it's safe to assume that any changes to the site to make it more secure would need to be paid for by the taxpayer.

  7. Anonymous Coward
    Anonymous Coward

    In the words of John Cleese in Life Of Brian

    "You're fuckin' nicked, me old beauty"

  8. Alan Brown Silver badge

    All the https in the world won't help

    Https is just a transport layer.

    The website itself needs to be securely setup and the vast majority are trivially subvertable.

    The problem with pointing _that_ out is that you end up ruffling the feathers of some self-declared expert who in this case has the power to give you a bad day, instead of being forced to fix it.

  9. crediblywitless

    How much trouble does a non-HTTPS website actually cause? Statistics are available, I take it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like