MI5 e-mail list subscriptions now more secure than at launch
Sometime on Friday evening, the MI5 e-mail list subscription service has been modified from the shambolic version which was launched on Tuesday evening (see "MI5 e-mail alert signup shambles - all email subscription web forms sent to the USA, without encryption")
The e-mail list subscription service no longer seems to send your personal data to the USA in an unencrypted format, but it is still not being hosted entirely on secure UK Government IT infrastructure.
However, signing up this way, no longer gets you an email confirmation immediately, you will now have to wait "a few days". Will the terrorists also wait ?
There has been no indication of an update to the website on its front page, which still claims "Updated 9.1.07 17:00"
There has been no new news item on the What's New page, and so, it is not surprising that there has not been an email message to those people who have already subscribed to the MI5 website news update e-mail list.
The links to the web form
now take you to an SSL / TLS encrypted web page
You can now register "anonymously"
To subscribe, enter your e-mail address and, optionally, your name in the form below and press the "Subscribe" button. You can register anonymously if you wish, but providing your name (or a user name of some description) will enable us to help you more effectively if you report a problem with your subscription.
There is also now an extra paragraph at the bottom of the page :
Your subscription details will be sent over a secure Internet connection via a Secure Socket Layer (SSL), a protocol used for secure communications over the Internet. Web addresses that begin with "https" indicate that an SSL connection will be used.
Hooray ! This uses the already installed Digital Certificate for the www.mi5.gov.uk website, which was already being used for an SSL encrypted web form.
So far, so good, but why could this not have been done on Tuesday when the service was launched ?
So where is this e-mail list sign up web form being processed this time ?
It appears to be handled by:
Using SSL ok.
The domain name does not inspire much confidence or trust, as the substitution of the number Zero "0" for the letter "O" in the name "host", makes it look like the sort of domain name used for spamming or phishing attacks !
However the whois information says:
Xwhois query for h0st.biz...
Results returned from whois.biz:
Domain Name: H0ST.BIZ
Registrant Name: Guy Marson
Registrant Organization: Mailtrack
Registrant Address1: 2nd Fl King House
Registrant Address2: 5-11 Westbourne Grove
Registrant City: London
Registrant State/Province: London
Registrant Postal Code: W2 4UA
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.448707420558
Registrant Email: firstname.lastname@example.org
Technical Contact ID: DOT-EJVGCCA772BA
Technical Contact Name: Guy Marson
Technical Contact Organization: Mailtrack
Technical Contact Address1: 2nd Fl King House
Technical Contact Address2: 5-11 Westbourne Grove
Technical Contact City: London
Technical Contact State/Province: London
Technical Contact Postal Code: W2 4UA
Technical Contact Country: Great Britain (UK)
Technical Contact Country Code: GB
Technical Contact Phone Number: +44.8707420558
Technical Contact Email: email@example.com
Name Server: ELROND.MAILTRACK.COM
Name Server: ARWEN.MAILTRACK.COM
Name Server: CIRDAN.MAILTRACK.COM
Created by Registrar: DOTSTER
Last Updated by Registrar: DOTSTER
Domain Registration Date: Thu Jul 10 16:54:37 GMT 2003
Domain Expiration Date: Wed Jul 09 23:59:59 GMT 2008
Domain Last Updated Date: Mon May 08 19:51:18 GMT 2006
So the h0st.biz domain name has been around since 2003.
The traceroute information shows that
16 109 109 109 188.8.131.52 ae-0-25.br1.tclon.uk.easynet.net 17 109 110 110 184.108.40.206 fe1-1-0.ar0.rblon.uk.easynet.net 18 114 114 114 220.127.116.11 fa0-0.cr0.rblon.uk.easynet.net 19 110 110 109 18.104.22.168 merry-3.mailtrack.com
IP address: 22.214.171.124
Host name: mi5.h0st.biz
is hosted on a MailTrack.com machine,
IP address: 126.96.36.199
Host name: merry-3.mailtrack.com
with Easynet as the ISP.
Note the Lord of the Rings character names for the Mailtrack machines e.g. Merry, Elrond, Arwen, Cirdan etc.
At least Easynet and MailTrack are companies based here in the United Kingdom, so that is an improvement on the previous situation, where the web script was running on a server in the USA.
Why this software cannot be hosted on secure UK Government server, is still a mystery.
Thie https://mi5.h0st.biz webserver banners claim that it is running on:
Server: Apache/1.3.28 (Linux/SuSE) mod_ssl/2.8.15 OpenSSL/0.9.7b PHP/4.3.3 X-Powered-By: PHP/4.3.3
Obviously https://mi5.h0st.biz has a Digital Certificate installed, but a very recent one indeed !
The Digital Certificate is a "wild card" one issued to be valid for all *.h0st.biz domains for MailTrack Ltd, by www.DIgiCert.com, (a US based Certification Authority) which is itself certifed by the Canadian Entrust Certificate hierarchy.
This is no worse than the existing Verisign issued DIgital Certificate being used by the www.mi5.gov.uk website itself, and it does mean that it is accepted by most web browser software.
(11/01/2007 00:00:00 GMT)
Perhaps somebody in the UK Government is actually reading Spy Blog after all 8-)
Subscribing to the modified MI5 website news e-mail list:
The link from the News page announcing the service on Tuesday,, now takes you to the SSL page.
Filling in your name , surname and email address as before, and clicking on the the Subscribe button now takes you to
MI5 E-Mail Lists - Subscription Verification
Thank you for submitting a request to subscribe to our mailing list(s).
We will send you an e-mail in the next few days asking you to click on a link to verify your subscription request.
So there is now no longer an online subscription verification system, such as the WhatCounts.com service which was being used previously.
It is unclear if there is to always now to be a delay, presumably for a manual check on e-mail list subscriptions requests, before you are added to the list, or if this is yet another temporary stage in a system which is still under development, after it has been launched with a fanfare of publicity.
It is unclear what the status is of the subscriptions which have been made between Tuesday and Saturday, on the old, as launched system - will everyone have to re-subscribe ?
Have all copies of the data, and any log files associated with the subscription process in the USA been securely destroyed ?
It remains to be seen if an email from the suspiciously named "mi5.h0st.biz" domain name actually triggers people's software or human email spam or phishing attack filters.
We hope that such emails are actually sent from a *.gsi.gov.uk email address, i.e. via the UK Government Secure Intranet gateways to the Internet, like most other Central UK Government Department emails are, something, which requires at least a "sanity check" by independent Government IT Security people.
We would still like to know who exactly ordered the MI5 e-mail subscription service to go live on Tuesday, in such obvious haste, without proper testing and security and privacy sanity checks.
Was it a civil servant, or a spin doctor or a Labour politician ?