Friday, 04 December 2020
The website of Belgian intelligence was unsecured for 24 hours from Wednesday to Thursday because its security certificate had lapsed, the VRT reports.
The missing certificate means in theory that the details of visitors to the website were open to the world, and that the site was vulnerable to attack from outside.
The website uses the HTTPS protocol, which is supposed to protect the site itself as well as users from being spied on, ensuring a secure communication between both ends.
The protocol requires a security certificate which guarantees the site you are visiting is the site it purports to be.
If the certificate is missing or invalid, most browsers will display a warning, allowing the visitor to go back, but also allowing the possibility for them to go ahead anyway.
There is no sign of any actual breach of security in this case, but the possibility exists that users would go ahead, assuming that State Security to have suffered a security breach.
What actually happened was much more prosaic than a security breach.
According to a spokesperson for the security service, a miscommunication with the office of the prime minister was at the source of the problem. The office, known as the Chancellery, is responsible for the website, and for the renewal of any lapsed certificates.
“For weeks now, the State Security service has repeatedly asked for the necessary action to be taken to renew the website’s security certificate,” a spokesperson said.
“We are very much aware of the potential security issue. The Chancellery has now pledged to resolve the issue as soon as possible and will take the website offline.”
In the meantime, the necessary action was taken, the certificate renewed and the site restored.
The Brussels Times