Saturday, January 27, 2007

Labour's poorly configured "secure" email system

Over on Guido's site this morning, he has posted a link to the private email gateway login page that party political communications from Downing Street use. The link is for this is www.lpnet.org.uk. Interestingly, when you visit it for the first time you will be presented with SSL certificate errors.

I have to say, for a system that is supposedly for the secure sending of email, they haven't particularly filled me with confidence. For a start, the ssl certificate expired in 2003. Also the expired secure certificate wasn't even correctly configured in the first place. The Common Name (CN) for the cert should match the web server name for a start, i.e. www.lpnet.org.uk. The fact that it doesn't, suggests that whoever it was in Whale Communications that set it up was a bit of an idiot. Whale Communications is of course a subsidiary of Microsoft which might explain the failure to set up a computer properly.

I am a little confused by the issuer of the certificate as well. You would expect a company like Whale Communications to use someone like Verisign to issue their certs, but instead it was a machine called "butcher.farmjack.com" by a company that calls itself FarmJack (odd name). Farmjack.com leads to some ROAR holding page today offering piston and hydraulic repairs. Maybe they went bust prior to 2003? If they did I can't seem to find anything about them as an SSL certifcate authority (if someone esle can let me know in the comments).

What does all this mean? Well not a lot really. Other than the Labour Party seem to have shoddily set-up IT systems (no surprise there when you consider, as David Miliband put, their "famed competence" for IT projects. They also seem to be using rather dodgy certificate authority provider for their cert. This is not in itself a bad thing per se (you can after all self-sign certs if you wish), but it's not exactly good practice for such a large organisation that it thoroughly obsessed with issue "best practice" guidelines for everything.

11 comments:

Anonymous said...

Dizzy

You are on the right track but the incompetence does not belong to Whale. They would have used the existing cert to set up and test the system when it was first deployed. It was up to the NuLab techies to install their own cerificate. In fact when you think about it this is pretty consistent with everything else this bunch of no hopes touches.

indigo said...

Whois result for farmjack.com
-------------------------------

Registration Service Provided By: SilentRegister.com
Contact: admin@SilentRegister.info
Visit: http://SilentRegister.com

Domain name: farmjack.com

Administrative Contact:
SilentRegister.com
Richard Lanoszka (admin@SilentRegister.info)
+1.2503869291
Fax: +1.2503869291
620 Toronto Street
Victoria, BC V8V1P7
CA

Technical Contact:
SilentRegister.com
Richard Lanoszka (admin@SilentRegister.info)
+1.2503869291
Fax: +1.2503869291
620 Toronto Street
Victoria, BC V8V1P7
CA

Registrant Contact:
SilentRegister.com
Richard Lanoszka (admin@SilentRegister.info)
+1.2503869291
Fax: +1.2503869291
620 Toronto Street
Victoria, BC V8V1P7
CA

Status: Locked

Name Servers:
ns1.fabulous.com
ns2.fabulous.com

Creation date: 07 Jun 2004 13:37:11
Expiration date: 07 Jun 2007 13:37:11

=======================
Richard Lanoszka is INTELIOS,

http://www.intelios.info/

According to his resume,

http://www.intelios.info/resume/RichardLanoszka.txt

formerly University of Essex, Computer Science Dept. (Colchester, England) Member of Academic Staff [1975-1978]. I worked there, too, at the time. Enormous International Socialist presence.

Anonymous said...

What we want to know, Dizzy, is whether you can break into their system and spill the beans!!

Call it serving Queen and Country.

dizzy said...

errr that would be a universally stupid thing to do

Anonymous said...

Being "out of date" and not particularly a good set-up, does provide for good alibi.

"Its not being used 'guv, it hasn't been used since 2003"

You get the idea ...

ThunderDragon said...

Essex University certainly hasn't got an enormous socialist presence any more! (CF is the largest political society on campus)

indigo said...

At the time whereof I speak, Essex University was heaving with International Socialists. I am trying to remember the name of the then president of the SU; wondering what he is doing now ...

Buenaventura Durruti said...

Funny how
http://www.intelios.info/
is not working this morning - bit rum for a supposed internet company.

errr Dizzy it would only be 'universallly stupid' if you got caught (or of course if yo told anybody you'd done it which would probably be pretty much the same thing).

Jeff said...

Maybe farmer jack could issue a valid cert if Tony hadn't screewed him over the CAP.

Gavin said...

This is interesting. Does anyone know, would the cert (even an expired one) keep a log of all the IPs attempting to "handshake" with it? Not sure if I'm phrasing that correctly, but you see what I'm getting at? If so, would that log be retrievable by whoever controls the server where it's based? And does a SSL cert actually stop functioning once it reaches its exp. date, or does it merely flash up the expiry notice in order to warn web-users that "our customer has failed to resubscribe, so we no longer guarantee" etc?

Anonymous said...

nmap scan:

PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
1720/tcp filtered H.323/Q.931