Police penalty-payment website makes amateurish coding errors

Fixed penalty fines, the scourge of many a motorist. Parking on a double-yellow line, speeding, not wearing a seatbelt – whatever the cause, the result is the same. The recipient of the ticket has to pay the fine, normally by following the URL printed on the back.

In a case recently reported to the Naked Security team, following the URL leads to a web page claiming to be Central Accounting Office Electronic Information Service for Her Majesty’s Court Service (HMCS).

Central Accounting Office Electronic Information Service web page

As you can see, the page is not secure (it does not need to be). It simply provides a link through to the secure site where payment can be made.

Unfortunately, following that link (in Firefox) results in a warning page being displayed to the user for most popular browsers.

The payment page is using SSL, so what is the problem? Well, unfortunately, the certificate being used on secure.informcommunications.plc.uk has actually been issued for *.latestinfo.co.uk.

This discrepancy is what causes the above browser warnings. (Google have posted an excellent description of the various website security indicators and what they actually mean.)

In this case the problem is not caused by any malicious activity. Instead human error appears to be the culprit. Both sites (latestinfo.co.uk and informcommunications.plc.uk) actually resolve to the same IP. The problem appears to be that the link to the payment page uses the incorrect domain name.

This is supported by one of the other pages I found on the site – a page used for Met Police payments. Looking at the source code for the page you can see that a link to a payments page on informcommunications.plc.uk has been commented, replaced by one referencing latestinfo.co.uk.

Given the sites resolve to the same IP, the links actually point to the same page. With the current certificate however, the secure.informcommunications.plc.uk link will unfortunately generate the warnings.

So, what should users do when confronted with these browser warnings? Personally, I think they should follow the advice given, and proceed no further. They should report the site appropriately, such that the problem can be fixed. Even though bypassing the warnings in this example would be perfectly safe, that is not what users should be encouraged to do.

Browser warnings like these are great – a really useful tool for users to be alerted to potentially malicious activity. Legitimate organisations really should test their systems more thoroughly to ensure good practice has been followed, and the user experience is seamless.

Shout out to Naked Security reader JM from London for the tip.

police image courtesy of Shutterstock