HMRC's HTTPS howler: Childcare payments site cert expired at 1am on Sunday, down for hours

Gov.uk portal finally lurched back to life after lunch

Updated Furious parents have lashed out at Her Majesty's Revenue and Customs after the UK tax authority let a key HTTPS certificate expire on its childcare tax credit portal.

Numerous people contacted us almost immediately when the HTTPS certificate on childcare.tax.service.gov.uk expired at 00:59:59 on Sunday 22 September.

As Reg reader Cian put it, the web app at that address "will let you pay a certain amount of your childcare bill before tax," adding that "it can be worth a few hundred quid a month if you have a high childcare bill."

HTTPS certificates are used to establish encrypted connections between your browser and the website you are visiting to shield your information from criminals trying to eavesdrop on or tamper with financial details, and other data in transit, for nefarious purposes.

Any webpage served over HTTPS without a valid TLS certificate has shown a "not secure" warning in the Chrome address bar since version 68, and Mozilla's Firefox, Microsoft's Edge and Apple's Safari will likewise warn you that they may not be able to establish a secure connection to the server.

https://childcare.tax.service.gov.uk/ cert expired

The screen greeting visitors to https://childcare.tax.service.gov.uk/ on a Chromium-based browser this morning

HMRC has at least got its security posture right by enforcing HSTS, which prevents people from accessing the site other than through a secured HTTPS connection. The idea there is to prevent connection-downgrading attacks by online mischief-makers. Unfortunately, that also means you can't power on through the "Are you sure?" checks built into most modern browsers and take the risk for yourself.

Bewilderingly, at the time of writing, HMRC hadn't organised itself sufficiently to install a new certificate, with a corporate mouthpiece admitting he wasn't aware of the outage but promised a full statement in due course. However, all seemed to be working as intended after lunchtime.

We will update this article if HMRC gets itself into gear. ®

Updated to add 15:00 UTC 23/09/2019

An HMRC spokesperson got in touch to say: "We're sorry that customers were temporarily unable to access the childcare service. This technical issue has now been resolved and the service is working well. We can assure users that their data has not been compromised."

Sponsored: Beyond the Data Frontier

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019