Secure The Police!

by @edent | # # # | 1 comment | Read ~1,066 times.

Imagine, just for a moment, you suspect that a friend of yours is a criminal. Perhaps they are running an illegal proxy, or hosting a search engine, or maybe criticising a dangerous cult, or even taking suspicious photographs.

These are all - apparently - within the remit of The City Of London Police. Better report such heinous crimes to them. As a high-tech policing unit, they encourage you to report crimes online.

City Of London non-secure-fs8

The more astute of you will have noticed that the form is insecure. There's no https:// at the start of that URL. This means any confidential information that you send is transmitted across the Internet in the clear. Anyone sat between you and the police can intercept the data you send and - potentially - change it.

This is sub-optimal - especially for a police force which is seemingly tasked with protecting us from online meanies.

Being the "helpful" chap that I am, I called them out on it. Only to receive these very disappointing responses.

Secure communications between the public and with websites is important. I want to know that all my dealings with the police are treated securely. I want to ensure that the data I send them is unmolested in transit. I want the state to take online security as seriously as they take physical security.

So, let's take a look at every UK Police Force website and see which of them have a secure connection.

I've taken the list of forces from the excellent - along with a few more I found along the way. I've specifically looked at their online crime reporting / contact us pages. Ideally all of the site would be secure - but let's not run before we can walk, eh?

I've tried to be as accurate as possible with these data - corrections and updates gratefully received.

ForceMain SiteReport / ContactNotes
Avon and Somerset
Bedfordshire Police
Cambridgeshire ConstabularyAvailable, but not forced.
Cheshire ConstabularyMain site has https - but not forced
City of London PoliceNow fixed - see update below
Cleveland PoliceAvailable, but not forced.
Cumbria Constabulary
Derbyshire Constabulary
Devon & Cornwall Police
Dorset Police
Durham ConstabularyNo online contact.
Essex PoliceAvailable, but not forced on main site.
Gloucestershire Constabulary
Greater Manchester Police
Hampshire Constabulary
Hertfordshire ConstabularyAvailable, but not forced.
Humberside Police
Kent PoliceOnline reporting no longer available.
Lancashire ConstabularyCertificate expired on 01/02/14 10:55
Leicestershire PoliceAvailable, but not forced. Contact Us under construction.
Lincolnshire Police
Merseyside PoliceAvailable, but not forced on main site.
Metropolitan Police Service
Norfolk Constabulary
North Yorkshire Police
Northamptonshire Police
Northumbria Police
Nottinghamshire Police
South Yorkshire Police
Staffordshire PoliceAvailable, but not forced.
Suffolk Constabulary
Surrey Police
Sussex Police
Thames Valley Police
Warwickshire Police
West Mercia PoliceAvailable, but not forced.
West Midlands PoliceAvailable on main site, but not forced.
West Yorkshire PoliceAvailable on main site, but not forced.
Wiltshire Police
Northern IrelandHate Crime reporting goes to an untrusted site.
Police Scotland
Dyfed-Powys Police
Gwent PoliceAvailable on main site, but not forced.
North Wales Police
South Wales Police
Ask The Police
British Transport PoliceAvailable, but not forced.
Civil Nuclear Constabulary (formerly UKAEA Constabulary)Now part of GOV.UK
Ministry of Defence Police
The National Crime Agency (NCA)

You know what - that's a lot better than I was expecting, but it's still pretty dismal.

Several forces - even small ones - routinely secure their entire site. It's good to see that several make a point of securing the contact / reporting pages. Some larger forces need a bit of a push to get their websites in order.

Depressingly, some sites do use https - but the user needs to manually type it in to their URL bar! Why bother having https if you don't automatically redirect your users to the secure site?

In this day in age, there's no reason to encrypt only certain areas of your site. The technical overhead of secure communications is trivial and reinforces the idea that security is important to the police.

If the police want to be taken seriously as high-tech crime fighters, they need to ensure their websites meet basic security standards.

Update - 15-August-2014
Have just heard back from the City of London

... the City of London Police have fixed the problem and the relevant forms are now secure and live. We’ll continue to test them to ensure they stay that way and this doesn’t happen again.
Thanks for taking the time to contact us

One thought on “Secure The Police!

  1. Six years later and - as far as I can tell - every police website now uses HTTPS!
    Except one…

Leave a Reply

Your email address will not be published. Required fields are marked *