back to article HMRC's HTTPS howler: Childcare payments site cert expired at 1am on Sunday, down for hours

Furious parents have lashed out at Her Majesty's Revenue and Customs after the UK tax authority let a key HTTPS certificate expire on its childcare tax credit portal. Numerous people contacted us almost immediately when the HTTPS certificate on childcare.tax.service.gov.uk expired at 00:59:59 on Sunday 22 September. As Reg …

  1. GnuTzu

    Feature Request

    I fantasize about a feature that would let lame site admins feel their users' pain like an point-of-view gun. Running a site through Qualys SSL Server Test and letting the results get posted on their public wall of shame just doesn't seem to be doing it.

    1. simonlb

      Re: Feature Request

      And of course the only person who can authorise the new certificate only works 9 to 5, Monday to Friday...

      1. katrinab Silver badge
        Coat

        Re: Feature Request

        You don't need budget approval or a purchase order number for a Letsencrypt certificate.

        1. Dan 55 Silver badge

          Re: Feature Request

          I don't think HSTS would let you replace a certificate with another one from a different issuer.

        2. Velv
          Coat

          Re: Feature Request

          Remember this is Government and control must be maintained at all times.

          All purchases must be made through the proper procurement channels from approved suppliers only. Suppliers can apply to be on the approved suppliers list by submitting their application to the procurement department whereupon it will be reviewed and approved over several lunches laid on by the supplier.

          Once sufficiently wined and dined the procurement department will list the approved suppliers offerings on the Government procurement site at three times the street price.

          So no, free certificates are certainly not going to be permitted.

          1. Headley_Grange Silver badge

            Re: Feature Request

            You forgot that 4 quotes from different suppliers will be required to ensure that the best value is obtained for the taxpayer.

            1. Anonymous Coward
              Anonymous Coward

              Re: Feature Request

              ...even though the best value isn’t the cheapest, it just looks good to people who don’t understand the difference between “value” and “cheap”.

      2. TimR

        Re: Feature Request

        And consider how this probably went:

        1. First user reports problem

        2. Help Desk faff about with it for an hour

        3. A techy happens to come across it and, within 10 mins, identifies the issue and what needs to be done

        4. Manglement faff about for a few hours until someone finally authorises the expenditure

        5. Change Management hold up implementation while they ask for a full risk analysis and assurances there will be no down time (!)

        6. techy implements win 10 mins

        Probably six hours for a 15 min job. Of course, it shouldn't have occurred in the first place, but I'd be lying if I said I'd never been party to such an oversight in the dim & distant past...

        1. Anonymous Coward
          Anonymous Coward

          Re: Feature Request

          You forgot the obligatory MI call pulling all techs into it to explain the snafu (in peoples engrish) and how the fix will be implemented once out of said MI call. always good for an hours respite in a shitstorm i find (im usually the 3 and 6).

        2. John Miles

          Re: 2. Help Desk faff about with it for an hour

          At least it sounds like they couldn't do help desk did on one of my systems - tell user how to bypass check and close ticket, fortunately user contacted me as they felt it worng, but the battle it took to get helpdesk to amended their procedures when a user hit the problem with internal system to send ticket onto the support team.

        3. Electric Panda

          Re: Feature Request

          Don't get me started on Change Management.

          At my company they seem hellbent on ousting HR from their "it's actually us who run the company and not the Board" perch.

        4. Phil Kingston

          Re: Feature Request

          For most govt IT I think you're massively underestimating steps 4 and 5. Kinda why I'm a fan of the Restrospecive Change - I'll fix it, you faff about after.

        5. Korev Silver badge

          Re: Feature Request

          You forgot the bit about the seven organisations that the PhBs outsourced to all pointing fingers at each other..

        6. Tom Paine

          Re: Feature Request

          Oh, I'm sure we've all been there at some time or another...

      3. sanmigueelbeer Silver badge
        Facepalm

        Re: Feature Request

        And of course the only person who can authorise the new certificate only works 9 to 5, Monday to Friday.

        But for this outage, that person is on annual leave for a month. Started last week. Via Thomas Cook.

        By the way, did you fill in the forms?

  2. Dave Pickles

    Still down

    They slapped in a new certificate at 10:53 BST but Firefox at least will have none of it; SEC_ERROR_UNKNOWN_ISSUER comes the reply.

    Possibly being in too much of a rush they forgot to install the intermediate certificate(s)?

  3. LeahroyNake

    Its not hard

    It really is not hard or expensive to monitor this sort of thing.

    Even the free version of PRTG could monitor 100 sites for expiring certificates amongst other useful information with a lot of options for notifications.

    It has been bugging me for a month about a cert that is due to expire, still have another 30 days to get a new on, it only takes minutes to replace if you know what you are doing.

    1. Yet Another Anonymous coward Silver badge

      Re: Its not hard

      >Even the free version of PRTG could monitor 100 sites

      But does it meet government tender guidelines part 17b subpara 23 appendix A ?

      Have they applied to be an approved vendor.

      Have they given board seats to enough ex-ministers ?

      1. Anonymous Coward
        Anonymous Coward

        Re: Its not hard

        Simple little form submitted in brown envelope.

    2. TimR

      Re: Its not hard

      Yes, 3 cheers for PRTG. A very cost effective solution to "network monitoring"

      The only thing that bugs me about it is that you can not (easily) test for non HTTP 200 Response codes in the HTTP sensor

  4. Alister

    Despite all the foaming at the mouth, it's worth pointing out that any transactions with the site are still encrypted, you just can't be sure you are connected to the server you thought you were.

    However, the chances of someone trying a man-in-the-middle attack with an expired (but otherwise correct) certificate are remote to say the least.

    1. msage

      Except enforced HSTS won't allow you to proceed with an expired certificate ;) so you couldn't make a proceeduntil the certificate was renewed.

      1. Blacklight

        chrome://net-internals/#hsts

        Remove the domain/site in question, proceed.

        Granted that's not for t'average punter - but it does work in a pinch (like when my webserver doesn't restart and LetsEncrypt has rolled over a cert....)

  5. Whitter
    Joke

    They need to get themselves some self-employed IT contractors

    Obvs.

    1. ovation1357 Bronze badge

      Re: They need to get themselves some self-employed IT contractors

      I bet you a pint that the people chiefly responsible aren't one person self employed contractors but instead are contracted in by one of the usual suspect in the big price poor quality government IT world.

  6. Velv
    Headmaster

    CEST

    As long as the certificate for CEST doesn't expire I'm sure they won't give a fuck worry. Gives confidence, doesn't it...

  7. Aitor 1 Silver badge

    Customers

    The use of the word customers says it all, and it is sad.

    1. Twanky

      Re: Customers

      This ^^

      Our new CIO insisted we should use the term 'customer' for IT users from other departments within our company and 'client' for customers of the company. It had a significant impact within one year - but not a good one.

  8. Will Godfrey Silver badge
    WTF?

    Is this a trend?

    This seems to come up quite a lot recently. Are orgs being more careless or is it just that we're hearing about it more?

    1. Tom Paine

      Re: Is this a trend?

      I suspect you're hearing about it more because things like HSTS and the gradual ratchetting up of HTTPS security paranoia in the browsers is increasing the impact of such SNAFUs. It's not that long ago you'd have been able to work around the cert problem by just removing the "s" from the protocol schema part of the URL and trying again...

  9. Anonymous Coward
    Anonymous Coward

    Time?

    I ran into this when trying to make a payment, just knocked the OS clock back a day, and re-attempted...all went through fine.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021