Many UK Police Websites Insecure

New research from the UK’s Centre for Public Safety has been released, which looks at the secure connections to and from UK Police websites.

Headline stats, from 71 websites, include:

• 24% of the sites lacked any automatic secure connection
• Of these, 70% invited users to submit personal data via the unsecured connection
• 10% had a significant vulnerability in their implementation of a secure connection
• Just 27% of websites demonstrated the highest world-class standard of secure connection

Mostafa Siraj commented below on this research.

Mostafa Siraj, Senior Security Advisor at WhiteHat Security: 

“Having a secure connection between end users and websites is a very basic and fundamental security requirement. With the widespread use of public WiFi in the UK, it can literally take a hacker seconds to sniff the entire communication exchange between a user and a website.

“Even when a user is not using public WiFi, if a hacker is able to access any switch or router across the connection between the user and the site, they can still sniff all the data flowing between the two. Given that most of these routers or switches still have the default username and password used to administer them, this is not too big a challenge. If personal information or user credentials are being exchanged, the damage of such sniffing could be even bigger, as most people still use the same username and password combination across all their online accounts.

“For this particular vulnerability, it is very easy and cheap to have a world-class secure connection. A web server costs typically no more than $250 a year and installing and configuring the certificate is also a straight-forward activity.

“In some respects, the stark contrast in security standards comes down to the fact that cyber security is not at the top of the list of many organisations’ agendas. Perhaps it is time that the security best practices and regulations that financial and health institutions must comply to, are rolled out more broadly. If regulators could force all entities that transfer, process and store personal information to have minimum security requirements, such as having a secure connection, everyone would be better off.”