HMRC's HTTPS howler: Childcare payments site cert expired at 1am on Sunday, down for hours Furious parents have lashed out at Her Majesty's Revenue and Customs after the UK tax authority let a key HTTPS certificate expire on its childcare tax credit portal. Numerous people contacted us almost immediately when the HTTPS certificate on childcare.tax.service.gov.uk expired at 00:59:59 on Sunday 22 September. As Reg …
Remember this is Government and control must be maintained at all times.
All purchases must be made through the proper procurement channels from approved suppliers only. Suppliers can apply to be on the approved suppliers list by submitting their application to the procurement department whereupon it will be reviewed and approved over several lunches laid on by the supplier.
Once sufficiently wined and dined the procurement department will list the approved suppliers offerings on the Government procurement site at three times the street price.
So no, free certificates are certainly not going to be permitted.
And consider how this probably went:
1. First user reports problem
2. Help Desk faff about with it for an hour
3. A techy happens to come across it and, within 10 mins, identifies the issue and what needs to be done
4. Manglement faff about for a few hours until someone finally authorises the expenditure
5. Change Management hold up implementation while they ask for a full risk analysis and assurances there will be no down time (!)
6. techy implements win 10 mins
Probably six hours for a 15 min job. Of course, it shouldn't have occurred in the first place, but I'd be lying if I said I'd never been party to such an oversight in the dim & distant past...
At least it sounds like they couldn't do help desk did on one of my systems - tell user how to bypass check and close ticket, fortunately user contacted me as they felt it worng, but the battle it took to get helpdesk to amended their procedures when a user hit the problem with internal system to send ticket onto the support team.
It really is not hard or expensive to monitor this sort of thing.
Even the free version of PRTG could monitor 100 sites for expiring certificates amongst other useful information with a lot of options for notifications.
It has been bugging me for a month about a cert that is due to expire, still have another 30 days to get a new on, it only takes minutes to replace if you know what you are doing.
Despite all the foaming at the mouth, it's worth pointing out that any transactions with the site are still encrypted, you just can't be sure you are connected to the server you thought you were.
However, the chances of someone trying a man-in-the-middle attack with an expired (but otherwise correct) certificate are remote to say the least.
I suspect you're hearing about it more because things like HSTS and the gradual ratchetting up of HTTPS security paranoia in the browsers is increasing the impact of such SNAFUs. It's not that long ago you'd have been able to work around the cert problem by just removing the "s" from the protocol schema part of the URL and trying again...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
