« Home Secretary John Reid's webchat transcript | Main | Chris Lighfoot - the good die young »

Is the MI5 email subscription list system now working as it should have done when launched ?

The MI5 website email subscription list system seems to have been re-vamped, again, with some considerable improvements.

The Intelligence and Security Committee of Parliament have looked into the affair, in so far as it is within their narrow remit, and seem to have been assured that the initially improved system is working ok.

The Information Commissioner's Office is currently investigating the data protection aspects of the original system, which we believe did breach the Data Protection Act.

Which Home Office politician or spin doctor or MI5 Security Service civil servant is willing to admit that they made a mistake with the original launch of this email alert subscription service ?

48 days after we registered on the "improved system", we finally got our "wait a few days" email list subscription confirmation emails, sent from this mailserver - pd110.fwdto.net

The fwdto.net domain name is registered to the UK based email specialist company Mailtrack who have been handling these email list subscriptions.

The email contains a https:// SSL or TLS encrypted session link, for you to confirm your email list subscription.

Similarly, if you now sign up for one or both of the available email list subscriptions, either for MI5 website news or for the Terrorism Alert Status changes, the script which handles the email list subscription form, is also handled on lists.mi5.gov.uk, rather than on www.mi5.gov.uk as previously.

The form itself does make it plainer that the "first name" and "last name" fields are optional, although, of course, this does not hide your name if your email address is like tony.blair@pm.gov.uk etc.

This use of an actual *.mi5.gov.uk domain name is a big improvement over the previous use of one of Mailtrack's other domain names, to run the email list scripts, which looked like a "phishing" website i.e. mi5.h0st.biz

Although the confirmation web page (served via https://www.mi5.gov.uk) still says that you will be sent a confirmation URL via email in "a few days", the system seems to respond almost immediately.

lists.mi5.gov.uk seems to be running Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7e webserver software, and shares the same IP address as the mailserver pd110.fwdto.net.

This IP address is part of a Class C subnet allocated to Mailtrack, by Euroconnex

Euroconnex LLP, based in Maidenhead, have Network Operating Centres in London and in Budapest, but this should not count against them too much, as British Telecom or Cable & Wireless and Easynet all have foreign based NOCs as well.

In theory the Euroconnex NOC in Budapest could snoop on the UK based routers, for network management purposes, or in a failover redundancy disaster recovery situation, could copy all the traffic to and from lists.mi5.gov.uk. This could, perhaps, be exploited by foreign intelligence agencies or hackers, but then so could any other commercial, multinational, Internet Service Provider.

At least the European Union data protection laws apply to all the internet servers and routers which are being used in the email list signup and verification process.

The DIgitial Certificate for the old mi5.h0st.biz server expired on 20th February 2007, and has been extended with another DigiCert certificate valid until 20 February 2009.

The Digital Certificate for lists.mi5.gov.uk is also valid for a similar period until 20 February 2009, however it is a Versign certificate, similar to, but not quite the same as the one used for www.mi5.gov.uk.

CN = lists.mi5.gov.uk
OU = Member, VeriSign Trust Network
OU = Authenticated by VeriSign
OU = Terms of use at www.verisign.co.uk/rpa (c)05
OU = Secretariat
O = MI5 Security Service
L = London
ST = United Kingdom
C = GB

A minor quibble is that this Verisign Class 3 root Certificate Authority may not be present by default in all browsers, and so may throw up warning errors, as it does, for example in Firefox.

Given the infrequency of the email alerts, either about new items on the MI5 website, or in changes to the Terrorism Alert Level, most people will probably not bother to un-subscribe from the lists.

Unsubscription emails provide a link which is not encrypted and which runs its scripts on mi5gov-t.fwdto.net, which shares its IP address with pd30.fwdto.net

Hopefully the un-subscription unique code is sufficient to prevent any malicious mass or targeted un-subscription attacks on the system.

The clicking on the un-subscription link takes you to an un-subscribe form (just a button to click) on the SSL encrypyed lists.mi5.gov.uk, which has some mixed content i.e. an unencrypted stylesheet, being pulled from the suspiciously named url.traq.it. Thankfully this does not appear to be a third party webbug tracking system in Italy, but points to another Mailtrack server in the UK.

Hopefully neither mi5gov-t.fwdto.net nor any other servers exposed to the internet on the same subnet are also acting as the backend database server(s) holding all the email list details, and therefore possibly vulnerable to denial of service or penetration attempts via the internet.

At least the Mailtrack.com DNS servers are now on a different subnet (and ISP) from that of the machines which handle the MI5 email subscription list processes.

Overall, the use of the lists.mi5.gov.uk domain name with a Digital Certificate is a big improvement, in terms of a trusted brand name, and processing within the United Kingdom, compared with the obviously rushed service as originally launched on Tuesday 9th January or even with the improved version unveiled on Friday 12th January 2007.


Not sure I can comment on much of what you have written but I did recieve an email update from MI5 today about the release of 268 historic Security Service files have been released today by the National Archives. ;)


Post a comment