Crimestoppers finally revamps weak crypto. Take your time guys

Poor rating due to out-of-date SSLv2 protocol

UK crime tip-off service Crimestoppers has revamped its weak website crypto after months of running a system that relied upon obsolete protocols.

Crimestoppers "secure" form was previously insecure – rating an “F” in tests using the industry standard SSL Labs service last month – chiefly because of the site’s use of the SSLv2 protocol.

Crimestoppers has since fixed (or at least made slightly better) its TLS, so that it now is rated as "B" by Qualys’ SSL Labs service.

“The original ‘F’ was due to the SSLv2 protocol, something which should be been dropped nearly 20 years ago [the technology was deprecated in 1996],” UK infosec consultant Paul Moore told El Reg. Moore publicly flagged up the issue in October shortly before the site’s security was improved. Problems had existed since January 2015.

The class of security risk here is one that banks (here) and UK government secure webmail providers (here), among others, have had issues with in the past.

Crimestoppers allows members of the public to report crime anonymously, either by phone or through its website. Its work is overseen by the Crimestoppers Trust, a UK charity.

Risk audit

We asked Crimestoppers how its site security came to be weaker than it should have been, and what about the confidentiality of sensitive information sent to it whilst its crypto was weak.

In response, the Crimestoppers Trust supplied a statement playing down security concerns, saying that it regularly monitors the security and confidentiality of the web component of its services. Roger Critchell, director of operations at the Crimestoppers Trust, did however admit that a recent risk audit had thrown up issues which have since being resolved.

The trust in our service from the public is paramount to our charity and to make sure that we gain that trust. We monitor our security regularly to ensure that it is robust and up to date to deal with the thousands of pieces of information we receive each year, whilst still making it compatible with the majority of public operating systems.

We know that the promise of anonymity is critical to our success, with 96 per cent of people surveyed stating it was the reason they contact Crimestoppers. This is why we are ISO27001 certified, obtained in 2013, which was followed by a further review in 2014 and again last month (October).

The public can be reassured that, as this certificate proves, we have robust procedures in place to highlight potential risk areas and deal with them effectively.

A risk audit was performed earlier this year, which identified that the window of opportunity for compromising the security of information was extremely small. All information provided is immediately diverted to our main system which is highly secure.

In addition, contact was made with the ICO to seek its view earlier this year, and after joint analysis of risk, it was deemed to be acceptable.

The charity can reassure the public that there has never been a security breach of any information provided via our website or any other means in the 27 years we have been running.

Moore was less than satisfied with the Crimestoppers Trust’s response to security concerns he was instrumental in raising, which were there for any tech savvy person to identify long beforehand.

“SSLv2, SSLv3 and RC4 are not a solid foundation on which to run a charity reliant upon anonymity,” Moore told El Reg. “If, after a collaborative risk assessment with the ICO, these defunct and insecure protocols were deemed 'acceptable'... I'd question the effectiveness of the ICOs involvement in previous cases.”

Policing the beat

Moore has also been campaigning to highlight security concerns about the website cryptography of UK policing organisations in the hopes that affected organisations would act to fix their sites. These spirited efforts have not, as yet, born fruit outside of the Crimestoppers case.

The National Crime Agency been insecure for more than a year but rather than fix it the UK policing organisation blocked Qualys SSL Labs so nobody would know, Moore alleges. This block has since been lifted.

Moore ran tests on the NCA site using Qualys SSL Labs earlier this week which revealed it had removed the restriction to allow Qualys to assess the site.

“Unfortunately, there are still three serious failings,” according to Moore. For one thing the certificate hasn't been installed correctly, so some browsers throw security warnings. In addition it's “vulnerable to OpenSSL's CCS, which is a straight fail,” and “it's also vulnerable to MiTM attacks, also a straight fail,” Moore added.

“I’ve no idea how insecure crypto and a misconfigured certificate would find its way into a live environment, but it doesn't reflect well ... especially as I reported it last year,” Moore told El Reg.

We put this these criticisms to the NCA, which acknowledged our initial query but is yet to respond to concerns about its website crypto.

Other UK policing organisations are also falling short in providing robust website cryptography.

If you want to file a complaint about UK policing by filing a concern with the IPCC (Independent Police Complaints Commission), its "secureforms" site... isn't secure, according to Moore.

The main domain is http://ipcc.gov.uk, which is a B, according to Qualys SSL Labs. But, more importantly, the domain they use to collect and process personal information is https://secureforms.ipcc.gov.uk/Pages/form_complaint.aspx, which is an F.

The organisation is yet to respond to El Reg’s query about its website crypto. ®


Biting the hand that feeds IT © 1998–2017