The flaw came to the attention of SCMagazineUK.com over the weekend. Visits to the CESG website home page were initially greeted with an error message on the website's security certificate, but by the middle of the week the HTTPS version of the website had been removed, leaving visitors to read the message that ‘the web page cannot be found'.
“This organisation's certificate has been revoked,” read the message. “Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server…We recommend that you close this webpage and do not continue to this website.”
A source, with close connections to UK government, told SC that the problems stemmed from CESG's certificate being reliant on the obsolete hashing algorithm SHA1 (provided by Symantec) – which could lead to a lot of information being openly available.
The source went on to note that Microsoft started accelerating plans to not accept SHA1 as an acceptable secure algorithm from July, as it's ten years old. Google Chrome has since this club, although some older browsers do still accept the cipher.
“My view is any good penetration test should have seen this and recommend that SHA1 was upgraded many moons ago,” the source said.
However, on Wednesday, the agency upgraded to SHA-256 with RSA 2048-bit encryption, with the certificate issued by Symantec. The certificate is up to date for another three years. The site was now up-to-date with TLS 1.2.
CESG eventually responded to our calls and emails by saying briefly on the phone: “All we're prepared to say is that we experienced a technical problem with the website but that it has now been resolved," a spokesperson told SC.
CESG is currently in the middle of launching a new CESG website and platform.