SSL Certificates
Dear Welsh Government,
Could you please provide the following information:
1. Why do you use wildcard SSL certificates?
2. Why are there two separate wildcard certificates for wales.gov.uk? Please note that man in the middle attacks can be used with the other certificate.
3. Why there are no certificates for cymru.gov.uk
4. Who has access to the private key of either certificate, where it is stored (including backups) and how has this key been transferred between holders.
5. Why does no service support PFS (Perfect Forward Secrecy). This should be an essential requirement in any tender activity.
6. Should hwb.cymru.gov.uk work and why is HWB still in Beta?
7. Why you insist on replying to emails within Microsoft Word attachments.
Replies should not be in the form of an attachment and must be in the body of the email. Attachments are only permitted to provide information released as part of the request.
Yours faithfully,
C Davies
Dear C W Davies
Further to your recent request for information please find attached an
Acknowledgement letter.
Yours sincerely
Stephen
Stephen Downs
Rheolwr Gwybodaeth Busnes / Business Information Manager
Cyllid a Gwasenaethau Corfforaethol / Finance and Corporate Services
Llywodraeth Cymru / Welsh Government
Ffôn / Phone: 02920 826901
E-bost / E-Mail: [email address]
defnyddiwr iShare / defnyddiwr iShare
On leaving the Government Secure Intranet this email was certified virus
free. Communications via the GSi may be automatically logged, monitored
and/or recorded for legal purposes.
Wrth adael Mewnrwyd Ddiogel y Llywodraeth nid oedd unrhyw feirws yn
gysylltiedig â’r neges hon. Mae’n ddigon posibl y bydd unrhyw ohebiaeth
drwy’r GSi yn cael ei logio, ei monitro a/neu ei chofnodi yn awtomatig am
resymau cyfreithiol.
Dear Central Departments - FOI/DP,
Thank you for your acknowledgment. As previously stated I refuse to accept and open proprietary file attachments. Could you please include the your content within the body of the email.
Yours sincerely,
C W Davies
Apologies for the oversight, please see below.
E-mail request
C W Davies
[FOI #207801 email]
Our ref: ATISN 8381
Date: 2 May April 2014
Dear C W Davies
Request for Information – ATISN reference 8381
Thank you for your request which was received by the Welsh Government on 19 April 2014. You asked the following:-
1. Why do you use wildcard SSL certificates?
2. Why are there two separate wildcard certificates for wales.gov.uk? Please note that man in the middle attacks can be used with the other certificate?
3. Why there are no certificates for cymru.gov.uk?
4. Who has access to the private key of either certificate, where it is stored (including backups) and how has this key been transferred between holders?
5. Why does no service support PFS (Perfect Forward Secrecy)? This should be an essential requirement in any tender activity.
6. Should hwb.cymru.gov.uk work and why is HWB still in Beta?
7. Why you insist on replying to emails within Microsoft Word attachments?
Please let me know if the above is not an accurate description of your request. My colleague Stephen Downs, from the Finance and Corporate Services Operations Team, will be able to assist you should you have any queries in relation to your request. His details are contained at the foot of page 1 of this letter.
The request you sent me contains personal data about you - for example, your name and address. I will only use this personal data in accordance with the Data Protection Act 1998 to deal with your request and any matters which arise as a result of it. I will keep your personal data and all other information relating to your request for three years from the date on which your request is finally closed. Your personal data will then be disposed of securely.
Any information released under the Freedom of Information Act 2000 or Environmental Information Regulations 2004 will be listed in the Welsh Government’s Disclosure Log (at www.information.wales.gov.uk).
I expect to write to you again by 21 May 2014.
Yours sincerely
Mike Hutchings
Web Project Manager
Dear Mr Davies
Further to your recent request and our acknowledgement below, in order for us to be able to consider question 7 in more detail, would it be possible for you to provide further clarification and perhaps and an example of when this has occurred.
Yours sincerely
Jamie
Jamie Jenkins
Rheolwr Gwybodaeth - Cyllid a Gwasanaethau Corfforaethol - Llywodraeth Cymru
Information Manager - Finance and Corporate Services - Welsh Government
Ffôn / Phone : 02920 821578
E-mail / E-bost: [email address]
Dear Jenkins, Jamie Michael (FCS - Operations Team),
With regards to question 7, then there is a clear example in your initial reply dated 2nd May. I am aware of many other examples of where Welsh Government and other bodies reply within an attachment, as such the reason why you do this would answer the question. I and the ICO would not consider the need for a clarification on this question, and I note that you should have at least answered the other points by the end of today (the day you will read this).
Yours sincerely,
C Davies
Dear Mr Davies
Please find below your disclosure letter. Apologies, this response had
been prepared, prior to receiving your clarification, and the response to
Q7 indicates we did not receive clarification. Therefore I am issuing the
response as drafted and can assure you that Q7 will be responded to in due
course (it is currently being considered by the Lead official).
Regards
Stephen
Stephen Downs
Rheolwr Gwybodaeth Busnes / Business Information Manager
Cyllid a Gwasenaethau Corfforaethol / Finance and Corporate Services
Llywodraeth Cymru / Welsh Government
Ffôn / Phone: 02920 826901
E-bost / E-Mail: [email address]
defnyddiwr iShare / defnyddiwr iShare
E-mail request
C W Davies
[1][FOI #207801 email]
Our ref: ATISN 8381
Date: 21 May 2014
Dear C Davies
Requests for Information – ATISN reference 8381
Thank you for your request which was received by the Welsh Government on
16 April 2014. Thank you for your request which was received by the Welsh
Government on 19 April 2014. You asked the following:-
1. Why do you use wildcard SSL certificates?
2. Why are there two separate wildcard certificates for wales.gov.uk?
Please note that man in the middle attacks can be used with the other
certificate?
3. Why there are no certificates for cymru.gov.uk?
4. Who has access to the private key of either certificate, where it is
stored (including backups) and how has this key been transferred between
holders?
5. Why does no service support PFS (Perfect Forward Secrecy)? This should
be an essential requirement in any tender activity.
6. Should hwb.cymru.gov.uk work and why is HWB still in Beta?
7. Why you insist on replying to emails within Microsoft Word attachments?
Please refer to Annex 1.
Any information released under the Freedom of Information Act 2000 or
Environmental Information Regulations 2004 will be listed in the Welsh
Government’s Disclosure Log (at [2]www.information.wales.gov.uk).
If you believe that I have not followed the relevant laws, or you are
unhappy with this response, you may request an internal review by writing
to:-
Mr Des Clifford
Director of the Office of the First Minister
Welsh Government
Cathays Park
Cardiff, CF10 3NQ
When dealing with any concerns, we will follow the principles set out in
the Welsh Government’s Code of Practice on Access to Information which is
available on the Internet at [3]www.wales.gov.uk or by post.
You also have the right to complain to the Information Commissioner.
Normally, however, you should pursue the matter through our internal
procedure before you complain to the Information Commissioner. The
Information Commissioner can be contacted at:-
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 01625 545 745
Fax: 01625 524 510
Email: [email address]
Also, if you think that there has been maladministration in dealing with
your request then you may make a complaint to the Public Services
Ombudsman for Wales who can be contacted at:-
Public Services Ombudsman for Wales
Ffordd yr Hen Gae
Pencoed
Bridgend
CF35 5LJ
Telephone: 0845 6010987 (local rate)
Email: [email address]
Yours sincerely
Mike Hutchings
Senior Communication Officer
Annex 1
1. Why do you use wildcard SSL certificates?
Wildcard SSL certificates are for secure elements of our site such as
forms and registration / login.
2. Why are there two separate wildcard certificates for wales.gov.uk?
Please note that man in the middle attacks can be used with the other
certificate.
There are two separate wildcard certificates issued for wales.gov.uk.
However only one of them is being used by the Welsh Government website –
the other is used for other purposes by the National Assembly for Wales.
3. Why there are no certificates for cymru.gov.uk?
There is a wildcard for cymru.gov.uk.
4. Who has access to the private key of either certificate, where it is
stored (including backups) and how has this key been transferred between
holders?
Keys and backups are stored securely. Transfers are made on encrypted
removable media or via secure networks.
5. Why does no service support PFS (Perfect Forward Secrecy)? This should
be an essential requirement in any tender activity.
Forward secrecy has not been considered necessary for these services.
6. Should hwb.cymru.gov.uk work and why is HWB still in Beta?
Hwb.cymru.gov.uk is now working. Hwb is about to go through a significant
redesign following feedback from users while in Beta. The new design will
be launched later this year and the site will remain in Beta until that
point.
7. Why you insist on replying to emails within Microsoft Word attachments.
A follow up e mail, to my acknowledgement, was sent to you on Friday 9^th
May (seeking clarification). As I have not received such clarification I
am unable to provide a response to this question. Should you wish to
follow up, with clarification, this would be regarded as a new request for
information.
Dear Jenkins, Jamie Michael (FCS - Operations Team),
With regards to question 7, then there is a clear example in your initial
reply dated 2nd May. I am aware of many other examples of where Welsh
Government and other bodies reply within an attachment, as such the reason
why you do this would answer the question. I and the ICO would not
consider the need for a clarification on this question, and I note that
you should have at least answered the other points by the end of today
(the day you will read this).
Yours sincerely,
C Davies
Dear Mr Davies
Further to our recent disclosure on, ATISN 8381, I now have a response to
Q7.
The Welsh Government does not have a specific policy regarding the
inclusion of Word attachments with e-mails. E-mails to individuals often
include attachments in order to include specific templates for ease of use
of the citizen, and these often are often in the form of Word attachments
or PDFs. Should an individual require an attachment in an alternative
format, these are available upon request.
Thank you for your patience and apologies for the delay in responding.
Yours sincerely
Stephen
Stephen Downs
Rheolwr Gwybodaeth Busnes / Business Information Manager
Cyllid a Gwasenaethau Corfforaethol / Finance and Corporate Services
Llywodraeth Cymru / Welsh Government
Ffôn / Phone: 02920 826901
E-bost / E-Mail: [email address]
defnyddiwr iShare / defnyddiwr iShare
_____________________________________________
From: Downs, Stephen (FCS - Operations Team) On Behalf Of Central
Departments - FOI/DP
Sent: 21 May 2014 11:28
To: '[FOI #207801 email]'
Subject: ATISN 8381 - Disclosure response
Dear Mr Davies
Please find below your disclosure letter. Apologies, this response had
been prepared, prior to receiving your clarification, and the response to
Q7 indicates we did not receive clarification. Therefore I am issuing the
response as drafted and can assure you that Q7 will be responded to in due
course (it is currently being considered by the Lead official).
Regards
Stephen
Stephen Downs
Rheolwr Gwybodaeth Busnes / Business Information Manager
Cyllid a Gwasenaethau Corfforaethol / Finance and Corporate Services
Llywodraeth Cymru / Welsh Government
Ffôn / Phone: 02920 826901
E-bost / E-Mail: [1][email address]
defnyddiwr iShare / defnyddiwr iShare
E-mail request
C W Davies
[2][FOI #207801 email]
Our ref: ATISN 8381
Date: 21 May 2014
Dear C Davies
Requests for Information – ATISN reference 8381
Thank you for your request which was received by the Welsh Government on
16 April 2014. Thank you for your request which was received by the Welsh
Government on 19 April 2014. You asked the following:-
1. Why do you use wildcard SSL certificates?
2. Why are there two separate wildcard certificates for wales.gov.uk?
Please note that man in the middle attacks can be used with the other
certificate?
3. Why there are no certificates for cymru.gov.uk?
4. Who has access to the private key of either certificate, where it is
stored (including backups) and how has this key been transferred between
holders?
5. Why does no service support PFS (Perfect Forward Secrecy)? This should
be an essential requirement in any tender activity.
6. Should hwb.cymru.gov.uk work and why is HWB still in Beta?
7. Why you insist on replying to emails within Microsoft Word attachments?
Please refer to Annex 1.
Any information released under the Freedom of Information Act 2000 or
Environmental Information Regulations 2004 will be listed in the Welsh
Government’s Disclosure Log (at [3]www.information.wales.gov.uk).
If you believe that I have not followed the relevant laws, or you are
unhappy with this response, you may request an internal review by writing
to:-
Mr Des Clifford
Director of the Office of the First Minister
Welsh Government
Cathays Park
Cardiff, CF10 3NQ
When dealing with any concerns, we will follow the principles set out in
the Welsh Government’s Code of Practice on Access to Information which is
available on the Internet at [4]www.wales.gov.uk or by post.
You also have the right to complain to the Information Commissioner.
Normally, however, you should pursue the matter through our internal
procedure before you complain to the Information Commissioner. The
Information Commissioner can be contacted at:-
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 01625 545 745
Fax: 01625 524 510
Email: [5][email address]
Also, if you think that there has been maladministration in dealing with
your request then you may make a complaint to the Public Services
Ombudsman for Wales who can be contacted at:-
Public Services Ombudsman for Wales
Ffordd yr Hen Gae
Pencoed
Bridgend
CF35 5LJ
Telephone: 0845 6010987 (local rate)
Email: [6][email address]
Yours sincerely
Mike Hutchings
Senior Communication Officer
Annex 1
1. Why do you use wildcard SSL certificates?
Wildcard SSL certificates are for secure elements of our site such as
forms and registration / login.
2. Why are there two separate wildcard certificates for wales.gov.uk?
Please note that man in the middle attacks can be used with the other
certificate.
There are two separate wildcard certificates issued for wales.gov.uk.
However only one of them is being used by the Welsh Government website –
the other is used for other purposes by the National Assembly for Wales.
3. Why there are no certificates for cymru.gov.uk?
There is a wildcard for cymru.gov.uk.
4. Who has access to the private key of either certificate, where it is
stored (including backups) and how has this key been transferred between
holders?
Keys and backups are stored securely. Transfers are made on encrypted
removable media or via secure networks.
5. Why does no service support PFS (Perfect Forward Secrecy)? This should
be an essential requirement in any tender activity.
Forward secrecy has not been considered necessary for these services.
6. Should hwb.cymru.gov.uk work and why is HWB still in Beta?
Hwb.cymru.gov.uk is now working. Hwb is about to go through a significant
redesign following feedback from users while in Beta. The new design will
be launched later this year and the site will remain in Beta until that
point.
7. Why you insist on replying to emails within Microsoft Word attachments.
A follow up e mail, to my acknowledgement, was sent to you on Friday 9^th
May (seeking clarification). As I have not received such clarification I
am unable to provide a response to this question. Should you wish to
follow up, with clarification, this would be regarded as a new request for
information.
Dear Jenkins, Jamie Michael (FCS - Operations Team),
With regards to question 7, then there is a clear example in your initial
reply dated 2nd May. I am aware of many other examples of where Welsh
Government and other bodies reply within an attachment, as such the reason
why you do this would answer the question. I and the ICO would not
consider the need for a clarification on this question, and I note that
you should have at least answered the other points by the end of today
(the day you will read this).
Yours sincerely,
C Davies
Dear Welsh Government,
Please pass this on to the person who conducts Freedom of Information reviews.
I am writing to request an internal review of Welsh Government's handling of my FOI request 'SSL Certificates'.
I had requested technical details relating to why you have made the dissension that you have, which has resulted in a response that shows a lack of understanding on significant security issues.
> 1. Why do you use wildcard SSL certificates?
> Wildcard SSL certificates are for secure elements of our site such as
> forms and registration / login.
Here I'm asking why you have made the dissension to use Wildcard certificates instead of a per-host certificate, particularly where third party contractors such as Learning Possibilities have access to the private key that can intercept Welsh Government communications.
> 2. Why are there two separate wildcard certificates for wales.gov.uk?
> Please note that man in the middle attacks can be used with the other
> certificate.
> There are two separate wildcard certificates issued for wales.gov.uk.
> However only one of them is being used by the Welsh Government
> website – the other is used for other purposes by the National
> Assembly for Wales.
You therefore state that the National Assembly, which is a separate organisation can intercept your communications?
> 3. Why there are no certificates for cymru.gov.uk?
> There is a wildcard for cymru.gov.uk.
Although you state this, there is no evidence of this, none of these HTTPS links work:
https://www.cymru.gov.uk/
https://hwb.cymru.gov.uk/
https://gwlad.cymru.gov.uk/
https://prp.cymru.gov.uk/
Is it therefore policy to prefer 'Wales' over 'Cymru'? I note that if you click on 'Cymraeg' on any of your websites, you always stay within wales.gov.uk, which makes no sense.
> 4. Who has access to the private key of either certificate, where it is
> stored (including backups) and how has this key been transferred
> between holders?
> Keys and backups are stored securely. Transfers are made on
> encrypted removable media or via secure networks.
You have failed to mention who has access, such as external companies like Learning Possibilities. You have not mentioned how this is stored, such as file permissions, whether there is a password on the private key, and which group of employees have access.
Additionally you have not stated what your secure networks are, does this include the use of unverified SSL certificates when transferring the information to third parties?
> 5. Why does no service support PFS (Perfect Forward Secrecy)? This
> should be an essential requirement in any tender activity.
> Forward secrecy has not been considered necessary for these services.
Could you please provide your risk assessment for this, as the private key being leaked via heartbleed or other means would reveal all of your data for anyone who is able to intercept your communications. Could you therefore also confirm that none of your third party contractors have been vulnerable at any point in time to heartbleed?
Finally, as a formal complaint, will you revoke all of your wildcard certificates and replace them with certificate for individual purposes, as it looks like you don't have control of who has access to the private keys.
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/s...
Yours faithfully,
C W Davies
Dear C W Davies
Please find attached a response to your complaint on disclosure ATISN
8381.
Yours sincerely
Stephen
Stephen Downs
Rheolwr Gwybodaeth Busnes / Business Information Manager
Adran Gwasanaeth Busnes / Business Service Division
Cyllid a Gwasanaethau Corfforaethol / Finance and Corporate Services
Llywodraeth Cymru / Welsh Government
Ffôn / Phone: 02920 826901
E-bost / E-Mail: [email address]
On leaving the Government Secure Intranet this email was certified virus
free. Communications via the GSi may be automatically logged, monitored
and/or recorded for legal purposes.
Wrth adael Mewnrwyd Ddiogel y Llywodraeth nid oedd unrhyw feirws yn
gysylltiedig â’r neges hon. Mae’n ddigon posibl y bydd unrhyw ohebiaeth
drwy’r GSi yn cael ei logio, ei monitro a/neu ei chofnodi yn awtomatig am
resymau cyfreithiol.
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now