British security intelligence service MI5 is so keen for internet companies to water down their encryption, that it has started the ball rolling with its very own website.
Let’s take a closer look at the padlock that shows up in your browser when you visit https://mi5.gov.uk.
Your connection to www.mi5.gov.uk is encrypted using an obsolete cipher suite.
The connection uses TLS 1.0.
The connection is encrypted using AES 256 CBC, with HMAC-SHA1 for message authentication and DHE RSA as the key exchange mechanism.
Perhaps not the most stellar result for MI5.
MI5’s C grade is brought about because they are only supporting the somewhat obsolete TLS 1.0 to encrypt communications between a user’s browser and the website. (TLS, you will remember, was the successor to SSL.)
TLS 1.0 isn’t held in high regard. For instance, earlier this year the PCI Security Standards Council recommended that firms securing payment card data should migrate from SSL 3.0 and TLS 1.0 as they are “no longer examples of strong cryptography or secure protocols” and switch to either TLS 1.1 (sadly, not all of its implementations are considered secure either) or TLS 1.2.
Of course, you’re not planning to enter your credit card details on the MI5 website. (Don’t they already have them? – Ed)
Chances are that MI5 supports TLS 1.0 to ensure that their website is accessible to as wide a number of internet users as possible. But, information security consultant Paul Moore told me, that’s no reason why MI5 could not also support TLS 1.1 and TLS 1.2 if it wanted to.
Taking that step would probably “fix” the MI5’s grade on the Qualys SSL test, and mean that British consumers and businesses wouldn’t have to listen to lessons on internet security from an organisation that only scraped a C grade.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.