back to article Bletchley Park Trust vows to shore up insecure website

The Bletchley Park Trust has promised that a website revamp due in January will address security concerns highlighted by a security expert on Sunday. Paul Moore slammed the site, which was home of the WWII Enigma codebreakers, for all manner of security shortcomings including emailing password resets and vulnerabilities to the …

  1. Anonymous Coward
    Stop

    Article ammend for another website we all know of.

    It's fair to say that we are dealing with a IT website, rather than a bank. But it's not unreasonable to suggest that those behind the site should be setting an example for similar businesses, in honour of the readership it commands.

  2. Anonymous Coward
    Anonymous Coward

    ??

    "It's fair to say that we are dealing with a national heritage/museum website, rather than a bank. But it's not unreasonable to suggest that those behind the site should be setting an example for similar businesses, in honour of the heroic security legacy they celebrate."

    That heroic security legacy was of course the breaking of codes through exploiting weakness in ciphers, and automating the exploiting - seems fitting that their own website has a weakness that can be exploited, no?

    1. David Pollard

      Re: ??

      ... seems fitting that their own website has a weakness that can be exploited ...

      But shouldn't they put a honeytrap in there or something similar?

      1. Anonymous Coward
        Anonymous Coward

        Re: ??

        If you mange to hack the site, it gives you the atlantic weather forecast in german :)

        1. Mike 16 Silver badge

          Re: ??

          Do these come from Kurt?

          https://en.wikipedia.org/wiki/Weather_Station_Kurt

  3. Anonymous Coward
    Anonymous Coward

    Went to website.

    Found out what CMS platform they're using.

    Made a mental note never to use that platform.

    1. Steve Davies 3 Silver badge

      So what CMS?

      why not tell us so we can make our own informed decision?

      1. Anonymous Coward
        Anonymous Coward

        Re: So what CMS?

        Because (1) I don't like naming and shaming, and (2) it's pretty easy to find out for yourself if you go to the site.

      2. Anonymous Coward
        Anonymous Coward

        Re: So what CMS?

        To save others from the 30 seconds work... Craft CMS

  4. Alan J. Wylie

    I've seen far worse

    The "F" grade at SSLLabs is due to the same certificate being hosted on a web server elsewhere (this may be their backend server, they are behind Cloudflare) with SSLv2 and export grade (deliberately weakened) ciphers supported. The certificate has a SHA1 intermediate certificate in the chain, so they will need to update it anyway before the major browsers start giving warnings early in the new year[1]. Doing this will help to mitigate the problem, no need for an entire new web site. They should also be either getting the 2nd server turned off, if it is unused, or better secured if it is their backend server.

    [1] https://community.qualys.com/message/35468-sha-1-deprecation-countdown

  5. Anonymous Coward
    Anonymous Coward

    Almost as bad...

    ...as a website for new used by many involved in IT and that doesn't use https so is open to all sorts of malicious code injection to the potential detriment of its IT using crowd.

  6. Ompaul

    when no https you can't get some of those bugs - but anyone can play with the traffic between the sender and reciever

    if you think that a site with an A rating from ssllabs is good

    you should stick that same site into securityheaders.ie

    1. Captain Badmouth
      FAIL

      Re : security headers

      Yep, gets an F there too.

  7. EJ

    Dead now?

    Is it just me or has someone set fire to the site and it's just a smoking pile of ruins?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021